Smart Home Security: Responsible Development
Smart Home Security: Responsible Development
Currently, smart home solutions are gaining popularity for a good reason. They allow owners to remotely monitor their houses, increase energy efficiency, and even assist in health tracking. Given all those advantages, homeowners are jumping on the opportunity to enhance their homes’ comfort and security for a better quality of life. Consequently, the smart home market amounted to $ 76.6 billion in 2018 and is expected to reach $ 151.4 billion by 2024, according to Markets and Markets.
Responsible Development and Maintenance of Smart Home Devices
As the number of smart devices grows, so do their software and hardware vulnerabilities, which can be exploited by malicious individuals, making smart home safety a significant concern. For instance, a couple based in Wisconsin, suffered a terrifying incident when their smart home was attacked. Hackers penetrated their smart home network and played disturbing, loud music while speaking to them through their smart camera.
As if that was not scary enough, the attackers manipulated the couple’s thermostat to change the room temperature to over 30 degrees Celsius. This and other similar incidents have created market opportunities for vendors to release new solutions for smart home security, making the forecast for this industry jump to $ 4.37 billion in 2022, rising at a CAGR of 19.6% from 2018.
Securing smart home devices is the responsibility of both vendors and consumers. And as consumers are becoming aware of the risks, they search for vendors who make security their top priority during smart device development.
The State of Smart Home Security
Connected smart home devices can be hacked, just like any other smart electronics.
Outdoor smart devices such as doorbells and garage doors are the most vulnerable as they can be accessed easily by anyone driving by. Kitchen appliances are less likely to be targeted, but these devices are not safe either. Even though an individual appliance does not present much value in of itself, attackers can still target it to break into the smart home security system.
Once inside, they can access personal information or perform a more sophisticated attack such as building a botnet. In one bizarre example, a North American casino was compromised through a smart fish tank. Once the hackers were in, they moved rapidly across the network and stole 10 GB of personal data before anyone realized something fishy was going on.
While installing a smart camera can make people feel safe, it also opens a digital gateway into their home. One infamous incident involves Ring security cameras. Attackers hacked into the Ring IoT system and found users’ passwords stored in free text.
With those passwords, the attackers could compromise the wireless security system and spy on people. Ring was quick to blame the users for this security breach, saying they used weak passwords. However, further investigation proved that Ring did not take enough precautions to ensure the security of the private data.
Even smart light bulbs have been compromised. In a recent incident with the Philips Hue smart bulb, hackers were able to exploit a vulnerability in the way the company implemented the Zigbee communication protocol. From up to 100 meters away, criminals were able to gain access to homeowners’ wi-fi networks and install malicious spyware and ransomware.
Almost all smart devices can be a target for attack. Even a smart coffee machine can be used to access its owner’s bank account details. As a trend on secure smart home devices is spreading among consumers, vendors are expected to step up and make security a part of their development process. Even the most seemingly harmless devices need to be secured. For example, Softeq Development has produced a remote-control app for outdoor lights with multiple security protocols.
Incorporating Security into the Heart of the Development Process
In a recent study, a group of researchers from North Carolina State University examined 24 popular smart home devices and found that the vast majority contained flaws, which could potentially put the homeowners at risk.
One wide-spread flaw enabled hackers to passively listen to signals coming from smart devices, and collect and analyze data by merely being in close proximity to the house. For example, by monitoring a smart lock, the attacker could find out whether the owner was home.
Another common flaw in the analyzed devices was the possibility to deactivate them before the intrusion. A hacker could upload a piece of malware that would block all security alerts, such as smart door opening while letting heartbeat messages pass through to prevent raising suspicion.
To produce a secure device, it is not enough to just quickly incorporate a few security functions into the final product. Security must be an integral part of every phase of the development process.
While developing smart devices, the manufacturer has to take care of security during the early stages of the product life cycle.
- Separate security functions from other functions establish limited interfaces between secure and non-secure functions. This separation narrows the scope for developers specialized in security, allowing the rest of the team to handle non-secure functionality.
- Make explicit assumptions about security requirements document any security assumption made during the design phase, do not count on the fact that everyone else has the same expectations by default. This includes suppositions regarding the device’s usage, environment, etc.
- Consider inviting an external security expert for a final security check of the completed design is beneficial to search for inconsistencies. For instance, sensitive data can be safely captured and stored, but at the same time, it can be leaked through other channels such as error messages.
- Take a layered approach to security. Keep in mind that the security measures you are implementing, are very likely to be compromised at some point. To minimize the risk of exposure, include redundant security measures into your design.
During this stage, developers implement the security rules prescribed in the design phase. Even if the design was strong, programming errors can unintentionally introduce new vulnerabilities.
- Keep security in mind when choosing a programming language
Some programming languages (such as Rust) offer memory management capabilities, which makes them preferable from a security standpoint. However, any vulnerabilities of this kind will present a single point of failure. For example, C and C++ are often used in developing software for smart devices as they allow for efficient use of system resources.
However, these languages open an opportunity for programmers to perform operations that undermine security. On the other hand, Ada, despite being one of the older programming languages, is still a good option for secure programming.
- Stick with the established security frameworks when possible, do not redevelop them
There are existing libraries for different security aspects and redeveloping them is not a good practice. Although using existing libraries is favorable, they are not exempt from flaws. While choosing which library to use, investigate its reliability: check if the library is widely adopted by others. Does it implement a standard security mechanism? Has it been audited? Simple questions like this at the outset can save a lot of trouble down the road.
- Make sure your firmware is up to date
When developing firmware, rely on the security frameworks that were thoroughly investigated and improved by security experts, and always update them to the newest version when available. Be careful to ensure that the newest version hasn’t been replaced by a “man in the middle”. Digital signatures can be used as reliable verification tools. A digital signature is incorporated into the firmware at its origin and read by the receivers using a private key.
In this step, you are not only testing the functionality but also exploring the robustness of error handling and fault tolerance.
- Invite external auditors to run security tests
Third-party experts simulate different attacks and try to weaken your product. Such external tests include penetration testing, network scan, etc. The number and complexity of these tests should be proportional to the security requirements. When the level of security is very high, the attack scenarios become increasingly complex.
- Perform a privacy impact assessment test
This test is used to ensure the data is processed in accordance with the GDPR (when applicable), or any equivalent regulations governing privacy in your country (e.g. CCPA). Be aware that your national security agencies might have privacy assessment guidelines prepared and available for everyone to use.
Continuous Monitoring after Smart Devices are Deployed
Even after a smart device leaves the shop, a responsible vendor will continue monitoring it for vulnerabilities. Collecting traffic data coming from smart devices will help to study device-specific traffic patterns and improve future versions. There are several measures smart device producers can take to contribute to security after deployment.
Supplying Consumers with Security Tips
Many security tips seem like common sense to vendors. However, they might not be so obvious to end-users. Even if the tips are well-known to consumers, it’s likely that they’ll undervalue the impact they can make. To avoid incidents that could easily be prevented, supply your customers with tips on how to keep their smart devices secure. These tips should include, but not be limited to:
- Changing the default password and choosing a secure option
- Installing device updates when available
- Checking permissions while installing devices
- Giving your devices a name
- Unplugging devices when not in use
- Disabling features that you do not use
- Securing your wi-fi and avoiding connection to public networks
- Performing network segmentation if possible, so that not all devices have access to the whole network
With machine learning-based techniques you can accurately identify every connected IoT device, construct a taxonomy of devices, and analyze network traffic. Being able to distinguish, for instance, a refrigerator from a thermostat is essential for security as it allows you to see what data traffic patterns belong to what device.
Anomaly Detection and Classification
When smart home devices are recognized and profiled, you can build an incremental behavioral model for every profile. When a device’s current behavior deviates from the established norm (such as the number of sent/received packets), this might be indicative of an attack.
Traffic monitoring alerts you to compromised devices at an early stage and lets you take preventive actions. Monitor both internal to external traffic (to detect DDoS attacks) and external to internal (to detect home network penetration attacks).
Reliable Data Storage Provision
Insecure data storage is an invitation for data breaches. In 2019, IoT devices vendor Wyze admitted to leaving data gathered from two million people exposed on the Internet where criminals could freely harvest it. This data included email addresses as well as health information.
What’s in it for Your Business?
There is no one-size-fits-all best smart home security system. Nevertheless, you will be more successful in delivering secure smart devices if you adopt a comprehensive approach to security in all phases of the development process and continue monitoring smart devices after deployment. This will not only make you a trusted vendor, but it will also open new business opportunities. For example, you can sell the data you are collecting (with consent, privacy, etc.) through:
- Cross-selling programs with trusted vendors
- Forecasting supply-demand and selling the insights
With the increased demand for smart devices, vendors fail to provide proper security and end up headlining the news with bad publicity. It’s a challenge to supply consumers with secure smart devices as it takes a rigorous development process, continuous monitoring, and reliable data storage. But those vendors who put security on their priorities list will receive consumers’ trust and new options to advance their business.