How smart home security systems can create as well as reduce security risks

If I asked the question “does your home security system increase your risk?” most of us would scoff.

After all, risk is precisely what home security systems are purpose-built to stave off.

Many of these systems are highly proprietary, so even the InfoSec savvy might not think about the kinds of exploits that work on more typical systems being effective on systems such as these, but it couldn’t be further from the truth. Think about it: the system communicates data somehow, and that method of ingress and egress is a vector for attack.

While your home security system might alert the fire department of a problem, it might also alert an actor (This is the term currently “in-vogue” for a cyber attacker who might utilize social-engineering combined with an acute technical prowess in order to pull off their nefarious deeds) that you’re not currently at home.

When it comes to breaking encryption, brute forcing the key space yields a 100% success rate

The answer to the question posed above is that your high tech lighting systems WIFI-enabled safes, and motion detecting cameras all both mitigate some risks and expose you to others. There is simply no way around the fact that the iron-clad system of today is not safe to the ingenuity and computing power of tomorrow. (Don’t forget that when it comes to breaking encryption, brute forcing the key space yields a 100% success rate.)

Ageing systems

Manufacturers for these systems especially rarely release firmware updates, doing so would run the risk of alienating their less than tech savvy customers. Even worse, a lot of ageing systems are out there and though they might have been a good purchase at the time, unless someone stays constantly vigilant to new threats problems are bound to arise.

Less than a decade ago, the idea of a “trusted network” was standard practice. Now, with an uptick in attacks and no shortage of targets, we know this assumption to be folly.

At the time, if you’d purchased a system that communicates internally via radio frequency mesh network, and externally via GSM modem it would have been downright state of the art. The manufacturer would have (and should have) patted themselves on the back for coming up with a system that doesn’t even live on the same TCP/IP network running the meager computing equipment you had at the time.

However, nobody is going out to purchase a new home security system after 10 years. People still haven’t gotten used to the idea that technology runs on a different clock.

Some might have expired medications older than that. Does that mesh network use encrypted communication?

If it does, does it still use 1024 bit RSA keys? How far away would you have to be to snoop that traffic?

Does an extended exist today that didn’t exist then that would allow you to sit across the street? If not, will it exist tomorrow?

Introducing anything into our environment, even our home environment, incurs technical risk and technical debt, which must be paid off in the form of risk assessment and risk evaluation

These are the sorts of questions worth asking, as introducing anything into our environment, even our home environment, incurs technical risk and technical debt, which must be paid off in the form of risk assessment and risk evaluation. Worse, there is a constant balance that needs to be maintained when putting the user in control of the update schedule.

Perils of automatic firmware upgrades

Any update has the potential to introduce problems as well as solve them, including vulnerabilities to attack. Completely automatic firmware upgrades on these sorts of embedded devices seem very tempting, but can unknowingly put the user at risk later on.

Even if you do keep all of your equipment up to date, attacks are getting more sophisticated. Perhaps someone is able to install a modified firmware onto a device forcing it to act as a gateway – a means of communicating from one network paradigm to another.

Many manufacturers of “Internet of Things” devices include something like this on purpose in order to add functionality without rendering older hardware obsolete. To return to my earlier example, Phillips Hue works over the ZigBee protocol (notorious for being very poorly encrypted) for inter-bulb communication, ultimately tying back to what they call their “bridge” which is, at the hardware level, merely a gateway that translates back and forth between “ZigBee Mesh Network” and “TCP/IP over Ethernet”.

The August Smart Lock offers the ‘August Connect’, which is merely a gateway that translates back and forth between your Bluetooth enabled lock and your Ethernet network by means of connecting to your WIFI. Should these devices be compromised in the future by a savvy attacker, they could be reprogrammed to act in promiscuous mode and interact via web calls to other devices on your network.

Of course, all of these attacks rely on imperfectly implemented or later compromised encryption and digital signature. It is the common denominator among all of these doomsday scenarios. It is why the role of the Certificate Authority continues to be so vital, scrutinising and trusting the public keys which make these systems function.

Computers are binary systems, but the risks that we incur are not

This is a scary reality we live in, and it is a fact of life that we will operate trusting entities transitively at some point. By trusting any system of importance, you are trusting not just the company that sells you the system, but the person installing the system, several people flashing firmware onto the device at the factory, that the company has good hygiene related to its master keys, that the machine it compiled its software on wasn’t infected, that the compiler used to compile that software wasn’t compromised at some point, and so on.

Computers are binary systems, but the risks that we incur are not. They occur on a spectrum, and while it is a good shorthand to refer to something we can point at as inadequate and call it “insecure” and something state-of-the-art and call it “secure”, these are illusions.

Something can only be “more secure” or “less secure”, and products that mitigate risk also can produce other headaches.

Unfortunately there’s no perfect answer to a lot of these concerns. Just like playing the stock market, each consumer needs to decide what degree of risk they’re comfortable taking on.

It’s up to all of us though to not encourage users to “leave all the work to the professionals”. Each person needs to be aware of what could happen, and what does happen every day.

Paul Baka is account manager for website security solutions at the SSL Trust.