Today’s smart home devices are more sophisticated and more dangerous than any consumer device ever invented. Here, in part 1, I’ll show a few things to consider when shopping for a security camera, thermostat, door lock, baby monitor, kitchen appliance, or other smart home IoT (Internet of Things) device. In part 2, I’ll share thoughts on deployment.
A few years ago, a sales rep approached my wife and me at Sam’s Club with a pitch about smart home door locks we could control from anywhere. I could install an app on my cell phone and use it to lock or unlock the doors. No more worrying about house keys.
This could be useful if, say, I’m shopping at my neighborhood Sam’s Club and a family member needs to unlock the door. I could do it from down the street or halfway around the planet by tapping on my cell phone screen.
As a cybersecurity professional, I was intrigued. How did these door locks know it was me, and not somebody pretending to be me, manipulating them? I expected an answer about a password, or a login, or some means to prove I’m me. It would have been fun picking it apart. Instead, he made my jaw drop:
“It runs on the Ma Bell Internet network, and everyone knows that’s secure, right?”
Except for the name of the internet service provider, that really is what he said. I still chuckle when I think about it. I hope the door lock company either took that poor product off the market, or retrained the sales rep who represented it poorly.
Anyone who buys a thermostat, door lock, baby monitor, kitchen appliance, or other smart home device connected the internet needs a few consumer tips about these new IoT (Internet of Things) devices.
Prove You’re You
First, make sure any smart home device has a well-thought-out scheme to make you prove you’re you before it lets you access it. Watching your baby sleep from your cell phone at work is reassuring. A stranger watching your baby sleep from a van across the street is gut-wrenching.
Anything exposed to the internet should use two factor authentication these days. The idea is, provide both something you know and something you have to prove you’re you. Most implementations use username/password credentials – something you know – and then the contents of a text message to your cell phone – something you have. Granted, this is a hassle. But if you made a neighbor mad a few months ago and they impersonate you and turn your thermostat down to zero, and your pipes freeze in the middle of a Minnesota winter while you’re on vacation, it’s an even worse hassle.
Another thing to look for is a credible update strategy. Consumers need to realize, there’s no such thing as bug-free software. And that means IoT device manufacturers need to provide a long-term support strategy with an easy way to deliver updates.
Implementation details are crucial. Some manufacturers use an undocumented set of credentials to automatically push out updates. “Secret” backdoors like this are a security minefield, because secret backdoors don’t stay secret for long. We call this security by obscurity in the industry, and it’s a well-known path to disaster. Never buy an IoT device that depends on a secret only known to the factory for updates.
When devices “phone home” for updates, they typically check with a manufacturer website, hopefully using the latest encryption standards. Manufacturers might advertise they use encryption, but this is only the tip of the security iceberg.
How does your device “know” the manufacturer website really is the manufacturer website and not an imposter? If I’m an attacker, and I know Acme Refrigerator Company has a million customers, I might pour energy into, say, a DNS poisoning attack to redirect all those software updates to my evil website. DNS poisoning attacks are difficult to pull off at scale, but if successful, I’ll convince a million refrigerators to download my compromised software update, and then I’ll own a million refrigerators.
Why are smart home device updates a big deal?
This is a big deal, not because I can spoil food in a million households, but because I now control a million internet-connected devices inside a million homes. It doesn’t matter if they’re refrigerators, thermostats, security cameras, or WiFi hair brushes. I’m inside a million homes and can look for anything of interest on your computers, cell phones, or other devices. With a sample size of one million, I’ll find a few useful nuggets.
Or, with a million internet-connected devices under my command, maybe I’ll use those to launch a DDOS (Distributed Denial of Service) attack against somebody I don’t like. Something like this actually happened in 2016, after security blogger, Brian Krebs made a few internet crooks mad. Attackers didn’t even have to compromise a software update – they exploited a bug with thousands of internet-connected security cameras and launched the largest DDOS attack in history to that time. They temporarily knocked Krebs and several others off the internet for days.
Manufacturers use the same PKI (public key infrastructure) technology to defend against impersonation attacks as online retailers. I have a recorded presentation for how this works – and how to break it – on my website. Here’s a link: http://dgregscott.com/internet-trust-mini-seminar/.
But then, why bother to poison where you go for updates? Why not break into the software update site and poison the update itself? The Russians did this to a popular Ukrainian accounting program in 2017 and nearly shut down the whole world. Here’s a link to an article in Wired Magazine with details: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Somebody could do the same thing to a poor quality device manufacturer.
Smart home questions that need answers
Ask these questions while shopping. Demand solid answers. Or take your business elsewhere.
- When I’m controlling this thing from the other side of the internet, how does it know I’m me?
- How do updates work? When did this product first become available? When it its end of life date? How often and how long will updates be available?
- I want to control updates and I want an easy way to do it. How do updates work? How does this device “know” it’s interacting with the real update site?
- Do some internet searches. What do other people say about this device? Do the one and two star reviews have any common trends? Does anyone from the manufacturer respond?
Find a device you like, bring it home, and then the fun begins. These devices don’t deploy themselves and you want a buffer between your new smart home and the public internet. Stay tuned for part 2.
(I originally submitted this as a guest blog post to bestcompany.com in early 2019. But I noticed it’s been removed, and so I published it here.)