Hacking The Connected Home: When Your House Watches You

Author

Adriana Lee

November 13, 2013



This is a post in the ReadWriteHome series, which explores the implications of living in connected homes. This series is brought to you by Iris from Lowe’s.

When it comes to the connected home, it’s natural for people to assume they’ll be masters of their domestic domain. Unfortunately, some may wind up becoming victims instead. Just ask Marc Gilbert. He and his wife were shocked when a hacker took over a baby monitor in their home last August and used it to hurl profanities at their 2-year-old daughter as she slept. 

This and situations like it underscore one of the biggest barriers to mainstream consumer adoption of connected or “smart” home technologies—fears over hacking.

That’s no small matter. If a person’s home is an extension of who they are, then there is no more intimate a setting than the place that shelters us and gives us respite from the world. And nothing can put a chill in our veins like the thought of being exposed or vulnerable where we live. 

Who’s Watching Whom?

Once upon a time, tapping into the radio frequency of a victim’s garage door opener was considered a high-tech break-in. Now, such hacks could almost be considered quaint.

These days, strangers can take control of others’ in-home surveillance cameras, or hijack connected TVs and thermostats. But that creep factor can easily turn into a fear factor—particularly when the realization sinks in that cameras can capture keystrokes for account logins and automated thermostats could reveal when homeowners tend to be present. And the trusty televisions that give us windows into fictional worlds may wind up giving outsiders a front-seat view of our lives. 

Smart TVs, for instance, are becoming increasingly like computers. They boast cameras, microphones, apps and the ability to browse the Internet. And like PCs, they're are also hackable. Users could be monitored by their own TVs or even rerouted to websites that can steal sensitive personal data. Aaron Grattafiori, principal security engineer at iSEC Partners, should know. He and colleague Josh Yavor spoke at this year's Black Hat Security Conference in Las Vegas, regaling audiences of their successful hack into a Samsung smart TV. 

Grattafiori managed to “use the TV's web browser to compromise the front-facing camera, take over the DNS settings and inject virus-like code into other applications,” he explained via email. The issue, he explained, stems from the fact that many Samsung smart TV apps, such as Skype or Twitter, are written in Javascript or HTML5 and use Binary APIs (application programming interface), which make them open to simple attacks.

The end result? Grattafiori and Yavor found it easy to inject their malicious code to infect the television. 

A Baby Monitor Gone Bad

To keep watch over his toddler, Marc Gilbert used a popular “IP camera” from Foscam, a Shenzhen, China—based company whose software was found to have a major security foible. During setup, Foscam used a default login for users—one featuring the classic “admin” username—but didn’t prompt people to update that to something more secure.

Changing the default login is a top recommendation on just about every expert’s list, probably because so many people fail to do it. Indeed, any Internet-connected device left with default authentication can be especially open to hacking. And thanks to Shodan, a specialized search engine that reveals practically any connected appliance from home routers to traffic cameras, finding one is just a matter of conducting the right searches and reviewing results. For Foscam specifically, reports Network World, exploit hunters can parse the *.myfoscam.org name space, where most Internet-connected Foscam cameras are listed by hostname. Such searches can yield treasures for the would-be hacker, regardless of proximity. 

Security issues aren’t isolated to Foscam cameras alone. Recently IZON surveillance cameras, which are sold in Apple Stores and Best Buy outlets, have also been recently outed for vulnerabilities relating to default logins

For its part, Foscam issued a software patch urging users to change the default login. However, that may still not close the matter entirely. Technology users, savvy or no, often fail to update devices when new software versions become available. 

And even if authentication has been changed, that’s still no guarantee of security. In Gilbert’s case, the Houston, Texas native commented online that his “router was password protected and the firewall was enabled. The IP camera was also password protected.” Yet, whether by brute force or via a more sophisticated hack, the assailant—whose foreign accent suggests he might have been based in Europe—still managed to gain access to his device. 

Leaving The Door Open

While some products communicate via Bluetooth, which boast device-pairing protocols that can keep unauthorized access at bay, others connect directly to Wi-Fi networks. Philips’ Hue lightbulbs, Dropcam cameras, Nest thermostats and fire alarms, Belkin WeMo devices and many others hook directly to routers and go out to the Internet, so they can be easily remotely controlled or monitored via websites and mobile apps.

Others connect via other systems, like the one used in Thomas Hatley’s connected home in Oregon. Hatley’s house features an Insteon system for home automation, which uses radio signals and existing wiring to communicate. This network of devices, however, still communicates over the Internet and, as he found out, that exposes it to attacks.

He was shocked when Forbes staff writer Kashmir Hill remotely infiltrated his home and gained control of his home automation system—which manages everything from fans and lights to garage doors—from her New York location. The issue, she discovered, was that his system didn’t even default to password protection, a bare minimum requirement for security.

Insteon is only one of several communication systems used in connected homes. Other popular networks feature Zigbee and Z-wave wireless protocols. These allow devices to talk to each other directly or via a hub, which then goes online to enable remote control or off-site scheduling features. 

“While a fair amount of security research has been performed on Zigbee, as it is a fairly open standard, the same cannot be said of Z-wave, which is very closed and proprietary,” says Grattafiori. Still, such protocols are considered so obscure or specialized, they aren’t considered major areas of concern. Yet. 

However, as residential automation, home security and control advances and becomes more popular, that will likely change. Although home automation systems are only in roughly 3 percent of U.S. homes, it has spawned an industry worth $1.5 billion, reports Reuters, which cites analysts that predict an explosion in “smart home” products with double-digit growth before long.

No wonder hacker conferences and security researchers are digging into protocols like Zigbee and Z-wave to uncover vulnerabilities. Belkin’s WeMo, it turns out, may be the easiest to hack, as its devices lack its own security protocols or authentication. Hackers like Behrang Fouladi, a security researcher at SensePost, managed to take over the device via its operating system to surveil communications between the switch and the controlling iPhone. 

"I don't care if someone, for instance, tries to turn off or turn on the lights,” Fouladi told Tom’s Guide. “Something like a front-door lock or a motion sensor, if they are used to detect intrusion—that is critical stuff. The implication of the compromise is higher." 

See also: The Hub In Your Connected Home Could Be In Your Living Room

Staying In Good Company

Connected home companies take security extremely seriously. Connected home purveyor SmartThings reviews all of its partners’ apps and devices, to make sure they conform to its safety standards, and “handles all security testing to ensure that everything is up to their standards,” says a company spokesperson.

The company’s white paper also outlines numerous protocols—from pin codes and two-factor authentication to firewalls, data encryption and sandboxing, which keeps SmartApps from accessing local system files on its the software’s residing device. It even places its SmartThings hub in a special mode for pairing with Zigbee or Z-wave-enabled devices, to keep potentially malicious devices out.

At iControl—whose technology powers connected home services for ADT Security Services, Comcast, Time Warner Cable, Cox and Rogers—the company works with partners to ensure that device development, software development, and server side management are up to snuff. It also manages the software that goes in every connected gadget. “We manage the software from a central server for every device or tablet, “ explains Jim Johnson, executive vice president. “Should we ever need to upgrade software, we can push the update automatically to the homes that have subscribed to the service.”

No doubt, security breaches are the nightmare scenario for service providers. And the reason for that is obvious. After all, the product they sell is not any particular gadget, system or technology. It’s convenience and peace of mind. In the connected home—or really any home, for that matter—the former is ultimately worthless without the latter. 

Feature image courtesy of Shutterstock. Samsung smart TVFoscam camera, Lockitron deadbolt device and Belkin WeMo Baby courtesy of respective companies. Burglar illustration, courtesy of Flickr user elhombredenegro

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter