Smart home devices can be used to identify if a property is unoccupied and vulnerable to a physical break-in. If home security systems and smart door locks are disabled by an attacker, the break-in becomes more of a walk-in. With no sign of forced entry, the victim may well find that their home insurance will not cover their losses.
Internet-connected devices can be used to perform an action on behalf of a criminal. Their functionality may be hijacked in a manner that does not affect its regular operation, transparent to the user. A compromised device can provide the gateway for attacking other devices connected to its network. Privilege escalation and lateral movement techniques can allow the attacker to use the weak security of a smart home device to compromise more valuable network devices. Enough hijacked devices can form a botnet, a network of devices infected with malicious software and controlled as a group without the owners' knowledge that can be used to launch denial of service attacks or send spam.
Attackers can also use their knowledge of vulnerabilities to blackmail manufacturers, threatening to disable all susceptible devices to damage consumer confidence or release details into the public domain to damage the reputation and future sales unless a ransom is paid.
Are these risks real?
In 2016, "Mirai" malware was distributed across the internet. It searched for smart devices using a specific processor type and attempted to access the device using a default username and password. At its peak, 100,000 hijacked devices formed the botnet that was used to successfully launch distributed denial of service attacks, shutting down some prominent websites and disrupting their revenue streams.
In 2017, the authorities in Germany banned the sale and use of the "My Friend Cayla doll." This internet-connected doll used speech recognition technology linked by Bluetooth to a mobile app to allow a child to hold a conversation with the toy. Security researchers found the doll's conservations could be hijacked, allowing the attacker to communicate directly with the child.
Why are smart devices vulnerable?
In the drive for low-cost devices, security was often put aside. The tendency for manufacturers was to rely on home routers to protect the connected devices. There are significant problems with this approach. Home routers themselves have vulnerabilities. Users often unpack and plug in their router without changing default passwords or checking for firmware updates. Like all other processor-based devices, routines have flaws uncovered over time and resolved with patching. Security is then dependent on users installing the patches. Once a home router is compromised, all the smart devices connected to that router are open to compromise if they do not have adequate security.
In 2018, "VPNFilter" malware infected more than half a million routers located across 50 countries. The malware allowed attackers complete control of the router and any unsecured connected devices.
So then how do manufacturers reduce risks?
Secure by design
Relying on the security of the network to secure a device is not sufficient. Each internet-connected device should be sufficiently secure to withstand attacks without reliance on external controls. Such protection can be bolted onto a device as an outer protective shield, but this approach is rarely cost-effective or as secure as practical. Secure by design means that the application of security controls should be part of the design process, embedded in the heart of the device's functionality where it will be most effective and cheaper to implement.
Typical controls include using strong encryption to protect data and communications from unauthorized access, monitoring, and alteration. Controls that limit authorized access using multi-factor authorization techniques rather than relying on a username and password can be compromised. Functionality needs to default to secure operation under all abnormal conditions such as a blackout or component failure. A complete set of controls will require a thorough analysis to generate a comprehensive list of security control requirements during the discovery phase.
Secure by design enables the layering of defenses to protect the device, its information, and its place in the network. The exploitation of a single vulnerability should not result in a single point of failure for the system's security but be contained by the other layers.
Secure out of the box
The tendency for product designers is to focus on delivering a product that the consumer can unpack, plug in and work straight away. Often this means having security disabled by default to ensure trouble-free connectivity and integration with other devices. This plug-and-play convenience has come at the cost of security. This contrasts with more complex devices such as laptops, where it is common for the device to require hours of effort to get from unpacking to working.
All router admin account details, including the default username and password, are published on the internet, yet a significant percentage of consumers never change this. This shows that users cannot be relied upon to make changes to a working device to improve security if they do not need to. The only option is to design the device to be secure when it comes out of the box or implement installation processes that cannot be bypassed, requiring the user to make the device secure when it's first plugged in. California has now passed the Security of Connected Devices act requiring manufacturers to implement reasonable security features, including unique preprogrammed passwords for each device. Manufacturers should expect similar regulations to appear across their markets.
Secured for life
Where security vulnerabilities are discovered over a product's life, manufacturers should not simply rely on producing a patch to update the product to resolve the issue unless installing the patch can be automated. Users cannot be trusted to search out updates for every smart device, let alone complete the process of downloading the patch and installing it correctly. A draconian approach would be to disable devices that are not updated, but this would cost customer satisfaction and reputational impact. Delivering automated updates transparently to the end-user in a secure manner is the optimum solution. But the process must be safe; the SolarWinds incident has highlighted the importance of this.
It is estimated that at the end of 2020, there were around 20 billion internet-connected smart devices in use. The current standards of security controls make hacking such devices straight forwards. This could be to performs acts of simple mischief by switching off lights or changing heating controls. It could be for more severe actions such as disabling security systems or stealing valuable information.
Manufacturers need to address cybersecurity risks by integrating security into the design and development process, delivering products that are secure by design, secure out of the box, and secured for life.
About the author
Stephen Mash is a freelance editor from the U.K. He has over 30 years of practical experience in IT, aerospace, defense and communications sectors. He develops and assesses safety-critical and business-critical systems, providing risk management and cybersecurity consultancy. He has a bachelor’s degree in electrical and electronic engineering and has been a Member of the Institute of Engineering and Technology (MIET) for over 20 years.