Are smart-home devices and applications cyber-safe?

November 3, 2017

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Web-based smart-home control applications communicate with and control smart household components like thermostats or lighting systems from your smartphone or PC.

The problem is that these apps are part of the internet of things (IoT) and communicate via the internet – leaving a potential security hole that must be carefully monitored and patched.

There are tens, if not hundreds, of devices and applications that promise to manage your home systems.

A few examples are Nest, which allows you to schedule Nest thermostat temperatures and monitor your energy usage; ADT Pulse, through which you can remotely operate your house alarm and receive status updates by text; and SmartThings Mobile, which communicates with the SmartThings hub to monitor and control all your smart devices.

These encompass the wide range of capabilities emerging in this fast-growing market, which is expected to rise from an installed base of 15.4 billion devices in 2015 to 75.4 billion devices by 2025.

WPA2

But how safe are these applications and devices?

Recently, the WPA2 data and network access protocol was hacked by Belgian researchers at KU Leuven University. Such hacks, which leave wireless usage vulnerable to recording and malicious observation, have opened a new discussion on the importance of protecting external access to internet-based home devices.

Many smart apps can be overprivileged, meaning they can gain access to processes that their functionality does not require

Research at the University of Michigan has also discovered that many smart apps can be overprivileged, meaning they can gain access to processes that their functionality does not require.

With the IoT expanding so quickly, many security experts are expressing concerns that safety precautions are falling by the wayside.

Reacting to this, the Atlantic council, working with three independent security researchers, has produced a report with the goal of creating the groundwork for the creation of new smart-home security measures. The council’s recommendations include increased security considerations during the design process – ‘security by design’ – remote updates and patching, transparent data protection methods and informed consent for data use.

Rather than simply wait for such measures to be introduced, it is entirely possible to make a smart home a cyber-safe home now. This starts with simple measures like proper password management in your applications, such as changing them regularly and avoiding easily guessed things like your date of birth and favourite football team, regularly backing up data and keeping software up to date.

From a business perspective, taking measures like installing a web application firewall and exercising a level of transparency with your regular users are integral to keeping smart-home applications and devices safe.

An application firewall will filter incoming traffic to a web application, allowing you to isolate and deal with attacks such as SQL injections, where an attacker injects hostile data into a website which can then trick the actioner into executing unintended commands and presenting unauthorised data.

Being transparent about security breaches is also incredibly important as this allows users to take steps to protect themselves should they be put at risk.

Smart-home control technology is still a fairly recent innovation and will inevitably encounter bugs and trips along its explosive development path. Several recent notable breaches bear this out.

However, keep your ear to the ground for newly discovered vulnerabilities, keep your apps up to date and pursue additional safety measures where required and you should never have an issue.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

IFSECInsiderPodcastLogo

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments