Just who are you inviting into your home with that latest 'smart' technology purchase?
Many consumer electronics companies are launching 'smart' versions of their appliances. TVs, washing machines, dryers,'refrigerators, ovens, and vacuum cleaners – virtually any consumer electronic device can be made smart, by being fitted with a powerful embedded computer designed to be always on and networked via the Internet. But what are the implications for consumers if any of these devices was hacked?
The reality is that there does not need to be a financial incentive for anyone to hack your systems or devices. We know this because many computer hackers will hack a system just for the sheer thrill of it.
"But let's be serious for a second," says Ray Rubinstein, principal analyst, home automation research at Strata Analytics. "Your robotic vacuum cleaner is unlikely to be programmed to wage war on your pet labrador or vacuum up your bank statements and credit cards and deliver them to their new hack masters.
"Some hackers are motivated by simple voyeurism and relish the power to cause mischief to someone they know or even someone they don't," says Rubinstein.
There could, however, be hackers who have a criminally fraudulent motive, and this would seem increasingly to be the case with the Internet.
Ratting is the practice of hacking into somebody's personal computer and taking control of the device's webcam. The victims are referred to as 'slaves', and inevitably it is primarily women who are targeted by the typically young heterosexual male hackers. The slaves have no idea that they being trapped, watched and followed: you could be in front of your computer right now and be a slave right now and never realise it. On online hack forums, the slaves are often traded for passwords, credit cards or anything else of value.
Even worse, some hackers take the information on the private online activity of slaves and then attempt to blackmail their victim with embarrassing information.
And it's not just computing devices that now have webcams. Smart TVs are increasingly incorporating webcams to allow users to videoconference with friends and family who are some distance away.
Smart TVs can be hacked and compromised in a similar way to personal computers. At the Black Hat IT security conference in summer 2013, security experts demonstrated how they found vulnerabilities in several 2012 models of Samsung Smart TVs that allow them to turn on the camera, take control of social media apps like Facebook or Skype, and access files on any TV set.
The researchers looked into these vulnerabilities at the end of last year and reached out to Samsung to alert it to the bugs.'Samsung has told E&T that it has "patched these holes" and it should be now harder for hackers to compromise its smart TVs.
With smart TVs growing more popular – over 70 million models were sold last year – this is a clear danger for many households.
Stuart McClure, CEO and president of security company Cylance also described a number of hacks during his keynote at the recent Embedded World Show in Nuremberg in February.
"Many consumer electronics companies assume that embedded systems are secure," said McClure, but he added that new categories of Internet-connected gadget demonstrate that embedded devices are now able to be accessed remotely and are thus vulnerable to the hackers.
McClure described a hack also on a Samsung Smart TV that uses the infrared sensor on a remote control – an input fitted to TVs since the 1970s. Infrared on television sets are designed to be open and when, until recently, they only controlled the electronic programme guide (EPG).
Initially, the company worked on attacking vulnerabilities on the Bluetooth port – a common vulnerability of many mobile phones. But they found that the infrared port provided for easier access to the core firmware as, being a technology carried over from older designs, it performed no authentication at all.
The company described how it developed a high-power transmitter based on an infrared laser rather than the LED found in most remote controls so that it would function at distances of up to 300m.
McClure said, "We can reconfigure the TV to act as an access point and therefore gain access to other devices on the same wireless home network. We can also gain access to other apps on the smart platform - such as Twitter or even Skype to take control of the camera."
Researchers at security firm Trustwave decided to investigate risks on embedded devices in the home. Their target was the home automation gateway – a common interface which relays commands between the homeowner's control device and a smart phone or a tablet operating over Wi-Fi or the Internet.
The researchers tested two home automation gateways – the Minos Vera Light and the Insteon Hub, both of which allow users to control smart devices such as locks on doors, garage openers, appliances, lights and thermostats from anywhere over the Internet.
On the first Insteon Hub, the tests revealed that the data was passing unencrypted to the control device and back without any authentication at all. This meant that anybody who performed a scan on the network would be able to detect the devices and run commands against it.
For instance, a potential burglar could hack into the homeowner's web-based control interface and disable alarms, unlock doors, or even access motion systems and security cameras installed on the property, which would allow a hacker to spy on the inhabitants.
The other home automation gateway the researchers tested was the Vera Light system. The researchers discovered that there are several ways to completely take over the device if they are on the local network - and even some ways to launch an attack from the Internet.
The Vera Light provides local access to customers as a feature, meaning that they don't have to go through this server for every transaction and the reconfiguration was seen. This means that consumers can turn their lights off and on downstairs or turn the thermostat up or down, even if the Internet isn't connected.
Trustwave later found that there was no requirement for a username and password to be set up. This would allow anyone with access to the local network to take control of the devices connected to it. Data is passed from the home automation gateway to the control device using a forwarding server. This is unprotected by a firewall, which means that anyone can get through and also access all the devices connected to this gateway. This could potentially allow any person to gain access to large numbers of devices simultaneously.
"If you're a lock manufacturer, your product needs to go under serious consideration for security and be peer-reviewed before anyone will take you seriously," says Daniel Crowley, managing consultant at Trustwave. Yet he points out that no such system exists for the smart home.
Everything within reach
The Internet now pervades nearly every aspect of our lives. This brings many advantages, but it does increase the 'potential attack surface' - things that were out of reach of would-be attackers, or which required a physical intrusion, can now be 'touched' over the Internet.
This includes things that we see and things that we do not. One example of the latter is the smart grid. The benefits of using technology to manage a power system are clear. Energy companies can monitor consumption and base their billing around peak usage and, if necessary, increase supply. The use of smart meters allows consumers to monitor their own usage and make better-informed decisions about when to use particular appliances in the home to take advantage of off-peak prices.
But there are potential risks. If a system is open, it means that a breach anywhere on that system can be used to access it or even control it. For example, smart meters use wireless technology to transmit data. If someone is able to intercept such transmissions, they could gather personal information, interrupt the supply to the customer, or send false data – resulting in huge bills for those affected, or loss of revenue for suppliers. If the interruption of power could be done for large numbers of customers at once, this could result in an outage that, before the advent of smart meters, would have meant an attack on the power supplier's systems.
The key to safeguarding smart meters and protecting against such attacks lies in encryption. If manufacturers are required to encrypt all data sent and received, this will greatly reduce the risk of attack. In the case of a closed system, a would-be attacker would need to find vulnerability somewhere in the system that allowed them to gain access. But, as is clear from Stuxnet and some of the other highly-sophisticated targeted attacks of recent years, it would be unwise to assume that closed systems are immune to attack.
The Internet of Things
Recently, ABC News in America reported an incident in which "a British or European-accented" male hacker took control of the Foscam Baby Monitor acquired by the Houston parents of an infant girl. The hacker reportedly began broadcasting expletives at the couple's daughter. It hardly seems worth noting the irony that the child, who is deaf, was unable to hear the abuse, given the disastrous breach of security the hacker was able to effect. Worse still, he was evidently able to gain access to the monitor's camera, as he began abusing the child's parents when they entered the room.
Security researchers told manufacturer Foscam, based in China, back in April that there were vulnerabilities in its baby monitor software. One big issue was the fact that the device's default admin username was simply 'admin' and there was no password requirement. The attackers were able to scrape Foscam's customer website for individual device codes. Although the company issued a firmware update in June to boost the device's security to a certain extent, you would only have known about it you happened to have signed up to the firmware update newsletter, and it seems unlikely that many new parents would have done that.
When one considers how many connected devices will be the modern home in the coming years it becomes clear that homeowners will need to take a lot of security management into account. Today, we're used to updating the firmware on our phones and maybe our TVs. Tomorrow, things could be a lot more complicated and, as always, the balance between security and convenience will be important in making sure the smart home does not turn scary when we're supposed to be relaxed.