Secure Smart Homes Need Control on Site, not in the Cloud

Given that home IOT can be interconnected to various degrees, we should consider the overall risk of the implemented ecosystem, not just the individual devices we install. This risk changes depending on the sophistication of the home in question.

The disconnected smart home

If the home has no Internet connection (or there is no bridge between the home IOT devices and the home Wi-Fi/Internet connection), there is minimal risk. Connection schemes such as X10, Zigbee, and Z-Wave are “localized”; a physical presence within their reception range is required. Many automation systems, such as Lutron and Insteon, donot require any Wi-Fi or Internet connection.

To be hacked, someone has to physically come to your home, a step the smart home security system is designed to mitigate.

"We also eagerly await the discoveries from DEFCON 2015’s IOT Hacking Village, a competition designed specifically to find vulnerabilities in popular home IOT devices"

Disconnected devices communicating with a home-only connected hub

The second case involves home IOT devices that connect to a Wi-Fi hub to allow them to be controlled via PCs, smartphones, etc. One example is Phillips Hue: the individual light bulbs talk via Zigbee to a hub, which connects to Wi-Fi to allow control through smartphones and tablets.An Internet connection is not required to control the system.

For hackers to compromise this architecture, they need a footprint within the home network.This could be a compromised PC or home router, but they can’t simply come from the Internet and directly attack the home hub.

Appropriate endpoint anti-malware products assist greatly in mitigating the risk, as does using WPA2 or better Wi-Fi encryption to prevent intruders from gaining access to your home network.

Internet-connected devices and devices with Internet-connected hubs

The most risky situation, and the one currently most under attack, allows devices (or their hub) to talk directly to the Internet. The infamous example of the compromised baby camera was simply an Internet-accessible device using default passwords.

Hacking websites trawl the Internet looking for connected security cameras using weak or default credentials. Any device directly accessible from the Internet needs the highest level of designed-in security and attention, because they are the most accessible and easiest to probe for weaknesses.

Unfortunately the trend in home IOT is to offer Internet-connected devices. Given the rapid evolution of this market and number of companies competing for a share, information security often becomes an afterthought.

At the moment, there are few ways to protect such an environment, other than to trust that the device and hub manufacturers have implemented robust security, and that any vulnerability will be quickly patched. However, it may be the homeowner’s responsibility to apply such patches—making it vital that you understand what devices you have, how they obtain updates, and any known vulnerabilities.

The Future

The security industry predicts significant changes in the home IOT space during the next decade. Smarthomes are moving from cool to useful, but an Internet outage that knocks out the lights is something the average homeowner won’t tolerate. Processing and intelligence need to move back into the home, under the homeowner’s control, especially for automation and security features.

Having the intelligence of your home IOT depend on cloud processing will naturally be replaced with a smart “black box” in a closet, perhaps merged with media storage and entertainment features.

The “smart home” of today is really a dumb home connected to a smart cloud. That must change, as we empower the next generation of homes to be smart in their own right.