How secure is your smart home?

Smart home technology has undergone a recent surge in popularity, with the average Australian household now containing 18.9 IoT-connected devices.

Emerging technology analyst firm Telsyte predicts that this number will rise to 30 by 2022, forecasting that the main growth will be driven by the adoption of energy and lighting smart devices, security devices such as cameras and other smart appliances including smart speakers.

Convenience, energy savings and security are just a few of the reasons cited by those who are embracing smart technology within the home. But just how secure are these devices? The media abounds with stories about data and privacy breaches, from voice assistant Alexa listening in to private conversations, to Amazon handing police the user data it collects through its Ring surveillance technology. And even something as seemingly innocuous as a light bulb is no longer immune to data breaches, new research has found.

The dark side of smart lighting

In 2019, researchers at the University of Texas, San Antonio conducted a review of the security holes that exist in popular smart light brands.

“Your smart bulb could come equipped with infrared capabilities, and most users don’t know that the invisible wave spectrum can be controlled. You can misuse those lights,” said Murtuza Jadliwala, Professor and Director of the Security, Privacy, Trust and Ethics in Computing Research Lab in UTSA’s Department of Computer Science.

“Any data can be stolen: texts or images. Anything that is stored in a computer.”

Some smart bulbs connect to a home network without needing a smart home hub, a centralised hardware or software device where other IoT products communicate with each other. Smart home hubs, which connect either locally or to the cloud, are useful for IoT devices that use the Zigbee or Z-Wave protocols or Bluetooth, rather than Wi-Fi.

If these same bulbs are also infrared-enabled, hackers can send commands via the infrared invisible light emanated from the bulbs to either steal data or spoof other connected IoT devices on the home network. The owner might not know about the hack because the hacking commands are communicated within the owner’s home Wi-Fi network, without using the internet.

“Think of the bulb as another computer. These bulbs are now poised to become a much more attractive target for exploitation even though they have very simple chips,” Jadliwala said.

Jadliwala recommends that consumers opt for bulbs that come with a smart home hub rather than those that connect directly to other devices. He also recommends that manufacturers improve security measures to limit the level of access that these bulbs have to other smart home appliances or electronics within a home.

The study, titled ‘Light Ears: Information Leakage via Smart Lights’, was co-authored by Anindya Maiti and published in the September 2019 issue of the journal Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies.

How can smart tech vulnerabilities be detected?

In 2019, Swinburne University’s Cybersecurity Lab was awarded $360,000 by the federal government to research and develop technology to stop smart devices being hacked. As part of a three-year project, a team led by the Dean of the Digital Research Innovation Capability Platform, Professor Yang Xiang, has been testing for vulnerabilities in any devices and appliances connected to the internet.

“We tested many smart devices, which cover most of the popular brands on the market. The product types include smart bulbs, smart plugs, routers and smart cameras. We developed our test methods for security analysis and vulnerability detection on these devices. Vulnerabilities such as memory leaks were found — these vulnerabilities allow an attacker to crash a device by sending malicious messages remotely,” Xiang said.

“Smart home devices are becoming pervasive. The security of smart home devices has always been a concern. Unlike traditional software or system security, the security issues of smart devices are more intuitive and frightening. Imagine the situation where all the electronic devices in your home suddenly fail — your life will be significantly impacted. Therefore, our team believes that it is crucial to strengthen the security protection of smart home devices.

The Swinburne team is hoping to develop a methodology that will help them to assess whether or not a smart home device is vulnerable. Given that there are hundreds of millions of intelligent devices, it is impossible to research each device in detail, so an automated detection method is required.

“We hope to promote the security rating of smart devices in Australia through our research, [and] to assess the safety level of smart home devices and make the results public. On the other hand, we hope that our approach will help manufacturers. We will report the security issues we find to vendors, and assist them in finding vulnerabilities,” Xiang said.

Improving smart home security

According to Xiang, manufacturers need to pay attention to security issues when they design and develop their products, but users must also be aware of the dangers.

“Let’s have a look at how a hacker can invade a smart home device,” he said.

“First, a hacker must utilise at least one security hole to launch the attack. Second, the hacker must be able to communicate with the device. Therefore, we can see that there are two main factors whether a smart device can be hacked: whether the device has the vulnerable hole and whether anyone rather than the legitimate user can communicate with the device.

“It is the responsibility of vendors and developers to detect and fix vulnerabilities. Users can report to the manufacturer to help them improve product security. At the same time, users should also update the product firmware to avoid the vulnerabilities that have been discovered,” he said.

In addition, Xiang emphasises the importance of protecting account passwords on smart home apps, because if the hacker can obtain the user’s account password through the app, then they will be able to attack the device. Connecting the device to an insecure network environment may also enable malicious monitoring by a hacker.

“Although it is not easy to disguise and launch an attack by intercepting and capturing information in the existing network communication security background, there are still risks,” Xiang said.

“Whether some products are more vulnerable than others, I think it depends on the product development process and the security awareness of the developers. In the real world, developers usually use common software modules (eg, from open sources). This effectively helps reduce development costs. But it poses security risks if there is a problem in these modules.

“From another perspective, in more logical and more complex devices, it may be difficult to find vulnerabilities because they are hidden deeply. In some simple devices, such as light bulbs, developers with insufficient security awareness and knowledge may not be able to design secure software and thus leave some security holes.”

Image credit: ©stock.adobe.com/au/Aleksandra Sova