Smart Oven HackedDEF CON and Black Hat aren’t rappers with guest spots on Jay-Z’s new album; they’re a pair of security conferences, that you’ve likely never heard of or paid any attention to. You might want to change that this year. A major part of these conferences are presentations by security professionals (that’s pronounced “hackers”) who spend their days breaking into all things digital, and this year’s agendas are stacked with demonstrations of exploits against connected home technology.
The explosion of otherwise mundane internet-enabled devices – thermostats, light bulbs, ovens, TVs, the list goes on – has everyone from script kiddies to intelligence agencies just as excited about the new attack avenues these gadgets and appliances open. Any device that can talk to another device or the internet can potentially be hackabled to do something unintended by its creator or owner, and this will soon be demonstrated publicly at Black Hat #Fouladi and DEF CON.

Why worry?

Granted, a hacker going after your internet-enabled toaster may not be lucrative in the same way that stealing your identity or banking credentials might be, but money’s not always the motive in hacking circles. Many of the most damaging attacks on computers have been perpetrated for shock value, underground credibility, or professional reputation. Burning down a home by hacking connected appliances would be worth a lot more cred than pwning Grandma’s computer. This is admittedly a worst-case scenario, but there are innumerable ways that a compromised connected home could be used to wreck your day. A hacked baby monitor could be used by would-be burglars to figure out when you’re not home, the script kiddie next door could shut off your heat mid-winter and burst your pipes by hacking your internet-connected thermostat, or shut off your smart-grid enabled fridge and spoil all the food. A few years back, proof-of-concept attacks against compromised networked laser printers were able to make them singe paper. Back when I had X10 automation-enabled switches throughout the house, friends used to drive by and mess with my house lights, just for fun. Exploits against an X10 successor, Z-Wave, will be demoed soon at BlackHat and DEF CON.
The point: This isn’t just tinfoil-hat stuff; there are plenty of plausible attacks against a connected home. Unlike the annoyance factor when a computer gets hacked, there can be real-world physical consequences when unsecured connected appliances are exploited.

Insecure by default

True security is about balancing risk and reward
Security is often an afterthought in the design of connected devices. It’s not something that most consumers are educated about, and it’s often hard to describe in a bullet point or checkbox fashion (“Security: Yes”). Further, many of the old-line manufacturers that are entering the connected devices space don’t have institutional knowledge around security; it’s not historically been an issue for, say, refrigerators. In the product development tug-of-war between security and convenience, security is usually the loser. A great example can be seen when you pair your phone to a Bluetooth headset or your car. Often you’ll be prompted for a PIN code, but it’s usually all zeros (in fact, it’s so common that some new devices just try all zeros and never prompt for a PIN at all if it works). The pairing PIN is a security feature built into Bluetooth to help prevent an attacker from interfering in a way that allows later eavesdropping of the encrypted connection, but it’s been effectively neutered by the many manufacturers that choose not to use it in the name of convenience. An attack on a headset might merely result in some juicy gossip from your phone calls going around at the next block party, but the consequences of a pairing attack could be much worse with something like a door lock or garage door opener.

What to do?

We might have you so scared now that you’re tempted to just live the Luddite life; rest assured that’s not our intent. We love the idea of the connected home, but reasonable steps should be taken to protect yourself from having it used against you.

Secure your network

This should go without saying, but know how to secure your WiFi network. There’s almost no excuse for running an open unencrypted WiFi network. If your router is more than a few years old, odds are that its security mechanisms are probably exploitable and it should be replaced. Newer WiFi routers have built-in guest network capabilities that can isolate untrusted devices from each other and from the rest of your network – a useful feature for most devices that only need internet access and don’t need to talk to other devices. Extra configuration may be required to properly secure devices that need to talk to each other (like automation controllers and security cameras), but it’s possible to limit that communication without laying bare the rest of your home’s network.

Know what’s in your home

Keep an inventory of your connected appliances and other devices (including manufacturer names and model numbers). Whenever you bring a new gadget home, update the list. Educate yourself about some basic security principles before welcoming new connected devices into your home. How does the device connect (Bluetooth, WiFi, GSM, something proprietary)? If it’s controllable by a tablet app or computer, how does the association process work? Is there a PIN or password? Is the process encrypted? How do updates work, and for how long will they be provided? This information should be available from the manufacturers, either published on their websites in technical specifications, or by contacting customer support. If a manufacturer can’t or won’t answer these questions for you, vote with your wallet and take your money elsewhere.
Connected Home Kitchen
Devices that magically “just work” without any kind of secure association process or encryption involved may be ripe for hacking. True security is about balancing risk and reward; the amount of damage that could be done by someone exploiting a Bluetooth soundbar or a WiFi-enabled LED light bulb is probably pretty minimal compared to the benefits of having such things around. The script kiddie next door might be able to hassle you about your Justin Bieber fetish or run an impromptu lightshow on your dime, but it’s not the end of the world. On the other hand, the things a bad guy could do with larger connected appliances, internet-enabled heating, and security systems definitely deserve some serious consideration.

Keep up-to-date

Set up a regular schedule to check for updates and exploits for the items on your connected devices list. Some devices may update automatically; even better! Well-behaved manufacturers should provide security updates for years, but others call it done once it’s shipped, and move on to the next project. Google around for well-known exploits against the connected devices in your home. If you find some, and the manufacturer hasn’t provided updates that address them, it might be time to retire that particular device. Sometimes, it’s worth the risk to keep using an exploitable device, but it’s best to be informed.
At the end of the day, the connected home is here to stay. Just like the previous waves of home and mobile computing, there are bound to be some growing pains as manufacturers fumble their way through security. We’re hoping more connected device makers will take security seriously, before the less savory attendees at Black Hat and DEF CON start playing with your new toys.