Unsecured automated homes provide an easy access to data about home owners and could be used by burglars seeking access to properties, German researchers have found.
In a series of experiments, IT security experts from the University of Saarland proved that eavesdropping on wireless home automation systems doesn’t require extensive knowledge of the system and could be easily carried out by a determined attacker equipped with a simple PC.
‘Non-encrypted systems provide large quantities of data to anyone determined enough to access the data, and the attacker requires no prior knowledge about the system, nor about the user being spied on,’ said Professor Christop Sorge, who led the Saarland University team.
‘The data acquired by the attacker can be analysed to extract system commands and status messages, items which reveal a lot about the inhabitants’ behaviour and habits.”
Using the data extracted from a home automation system installed in a house of two volunteers, the researchers were able to determine absence times and identify home ventilation and heating patterns. Such information would be enough for an unscrupulous burglar to determine the best time to break into a house.
Going even further, Sorge’s research group used the data to create profiles of the inhabitants. Even if the home automated systems attacked used encryption, the researchers managed to extract enough useful data about the household.
‘The results indicate that even when encrypted communication is used, the number of messages exchanged is enough to provide information on absence times,’ Sorge said.
Home automation systems control lighting, heating, opening of window blinds or door locks. The researchers believe that as such systems are expected to become more widespread, more research should be done to develop encryption methods that would protect the inhabitants’ privacy. Apart from learning about inhabitants' habits, potential attackers could also target the functionality of the system.
‘A great deal still needs to be done to make wireless home automation systems secure,” Sorge said. “Improved data encryption and concealment technologies would be an important step towards protecting the privacy of HAS users.”
Sorge’s group is currently working on developing technology of this type in collaboration with the University of Paderborn as part of a research project funded by the German Federal Ministry of Economics and Energy.