Image via Flickr
In all the excitement over the fast-approaching Internet of Things, there's been surprising little talk about the ginormous security risk that’s inevitable when the physical world becomes part of the network.
I’ve never been one to be a buzzkill about the latest innovation with safety first! warnings, but this is a no-brainer. The fast-growing stock of internet-enabled objects are vulnerable to security hacks the likes of which computers have been experiencing for years. Only the stakes are much higher when an intruder can infiltrate the physical realm—say, a light switch, an electric car, the front door lock, or the entire home security system.
The automated home’s been creeping toward the mainstream one smart gadget at a time: The Nest thermostat learns to control the temperature in the house per your preference; Lockitron turns your smartphone into a door key; the Satis is a Bluetooth-enabled smart toilet; Canary is the first smart home security system on a mobile device; and the list goes on.
Where the big fat security risk comes in is the tools used to manage these networked objects, which function like a remote control for the house. Security researchers will be talking about the problem at this week’s Black Hat conference, in a briefing called “Home Invasion 2.0.” The researchers looked at all kinds of smart devices, from toilets to home controllers like Vera Lite, which can control everything from thermostats to locks via web and mobile apps. Reportedly, some of the systems they've looked at have lacked basic things like user authentication, which would leave them vulnerable to anyone who gained access to the network they're connected to.
At this early stage in the internetting of all things, exploiting the security flaws is easy to do. It’s so easy, in fact, a Forbes journalist recently hacked into the homes of eight perfect strangers around the country, to prove that she could.
The reporter, Kashmir Hill, discovered that the wireless remote control system Insteon is vulnerable, as are competitors. Through Insteon, the homes' lighting systems, TV, garage doors, security cameras, and so on were controllable via the internet, and for some hair-brained reason the systems were also searchable online. With a quick Google search Hill was able to access private information like family names and addresses, and gain full control over the home systems. She described the experiment in an article on Friday:
"I can see all of the devices in your home and I think I can control them,” I said to Thomas Hatley, a complete stranger in Oregon who I had rudely awoken with an early phone call on a Thursday morning.
He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click.
I remember thinking it was trippy the first time a systems admin remotely accessed my company laptop to fix a bug. Now, theoretically, you could remote into someone’s house and change the TV channel while they’re in the bathroom. Or something far more dire. "Imagine the scenario where a hacktivist collective or state-sponsored attacker switches off an entire country’s electrical supply as an act of punishment," security analyst Andrew Rose wrote in a column for Wired.
Granted, the aforementioned security holes are careless oversights that should be easy to fix. But as home automation technology advances, the resulting risks are sure to grow just as quickly. Microsoft and Google are both working to develop home operating systems—Microsoft’s HomeOS and Google’s Android@Home—to unify all the smart objects in a household and make them easy to control and monitor from a single dashboard, on your mobile phone.
In fact, in the fully realized IoT, the intelligent objects might not even need an umbrella controller, because they will be able to communicate with each other directly. And the more connected devices get, the more chance there is that a single breach could affect multiple devices.
I’ll be interested to see how secure the newest home automation products are, including the Canary smart home security system, which is set to arrive in 2014. The device features a camera and multiple sensors around the home so you can monitor every aspect of the home from your smartphone.
The researchers speaking at Black Hat say that at this point, some home automation systems are fundamentally flawed and insecure. The attention being given to hacking the IoT is good, as it's key to fixing the flaws. But it makes you wonder if, instead of controlling our front doors with our easily-lost cell phones, maybe we're better off with a good old deadbolt.