Are Smart Homes Cyber Attack Risks?

Some of the anxieties about the smart grid go to the possibilities of security breaches, particularly at the interface of the distribution grid to the customer.

Interest in the smart grid seems to be fading, as consumer-controlled electric devices, the “internet of things,” or, in our acronym-infected world, the IoT. These smart devices give homeowners, businesses, and everyday folks the ability to control how they use energy, not the utility. For many observers, the benefits of the smart grid flow almost entirely to the utility. The IoT changes that.

These customer-controlled devices are hot. The market research firm Gartner predicted last year that by the end of this year, there will be 2.9 billion connected IoT devices in smart home environments. We’re talking about smart thermostats, locks, light bulbs, smoke detectors, security systems, internet protocol cameras (such as Dropcam), smart TVs, broadband routers, and the like.

But these devices bring their own serious security threats, according to the computer security firm Symantec. The firm concluded, “Our research found that many of these devices and services had several basic security issues.” Symantec says it “recently analyzed 50 smart home devices that are available today and took a look at how they measure up when it comes to security.”

It’s not a comforting picture. “None of the devices used mutual authentication or enforced strong passwords,” said Symantec. “Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication and no password brute-force attack mitigation, and you have an easy target for attackers.”

In addition to weak authentication, Symantec found well-known web application vulnerabilities, related to “path traversal, unrestricted file uploading (remote code execution), remote file inclusion and SQL (structured query language) injection. And we’re not just talking about smart light bulbs here; one of the affected devices was a smart door lock, which could be opened remotely over the internet without even knowing the password.”

So far, Symantec acknowledges, the threat is only potential. “As yet,” the company says, “we haven’t seen any widespread malware attacks targeting smart home devices, apart from computer-related devices such as routers and network-attached storage appliances. Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.”

Keep in mind that Symantec has a business interest in highlighting cybersecurity vulnerabilities. Among other things, the company owns the Norton security and backup brand. Nonetheless, the research raises significant issues. A Symantec blog advises, “So before you get carried away with your new smart home automation projects, take a moment to think about how these conveniences may be exposing you and your home to cyberattacks. Demand better security from the manufacturers of your smart home and IoT devices – only then will things start to improve.”