Pål Kastnes May 10, 2016
Although home automation was one of the first implementations of Internet of Things (IOT), it’s still maturing. Automating everyday tasks and increasing home efficiency are major advantages of home automation, but security concerns must be addressed.
The market has plenty of room to grow. According to Researchandmarkets.com, the global DIY home automation market is expected to reach USD 21.30 billion by 2020.
An attractive target
Smart homes are online 24/7, which gives hackers a limitless window of opportunity. The potential intruder can plan the perfect timing with respect to your time zone or by following information on social media.
As many home automation systems consist of devices from several different manufacturers, there may be several weak spots. Very few private homes have a knowledgeable system administrator that will be aware of important maintenance and security upgrades.
Non tech-savvy home owners will never monitor their network activity, which allows the attacker time to work. If and when the network is compromised, the attacker knows he are unlikely to be detected. Besides, you can not expect the babysitter or the kids’ friends to be careful about network security.
Security concerns for homeowners
Portable devices are tempting targets for an attacker, as cellphones and tablets connect to different networks as they change location. If the user is unaware of basic security, their smartphone can easily connect to a fraudulent access point. Even some tech-savvy people are concerned with the physical security of their doors and windows, but can be careless when it comes to their digital devices.
Most homeowners implement some sort of access control to their network, but the access control policies might be frequently changed. A typical example are visitors getting upgraded from guest status to the same level as the family. As innocent as it seems, this represents a big security threat.
Home automation security procedures can’t be enforced on a private household like in a company. A home automation system needs to be as invisible as possible to ease the family’s daily routines, so any necessary work will likely be seen as an annoyance and potentially ignored.
Security in your product design
Home automation hardware has a dubious reputation when it comes to security. Back in the 1980s, they used simple, unencrypted radio communication and a simple toggle system, which made hacking the system as easy as purchasing a generic controller and scanning the few frequencies in use. Even today, we still see some manufacturers adopting a “good enough” approach to security.
When Apple decided to enter the home automation market with HomeKit, they knew it was critical to gain the trust of their users. Where many companies ignore security or use a simple 128-bit encryption, Apple introduced a new standard for security with HomeKit by using the latest algorithms for encryption and authentication. In order to sell a product as a HomeKit device, it has to be certified by Apple first. Products that fail to get approved will not be eligible to be sold as a HomeKit device. Even if you are not building your product around HomeKit, their approach to security is one worth considering.
Protect your customers
To keep your product secure, set up your devices to use end-to-end-security with encrypted keys, bypassing other devices in the network. Have the devices connect directly to the cloud via encrypted links. Isolating each part as much as possible will limit the exposure caused by a single unit with security flaws. Create a solution where it will be hard for attackers to overrun the devices, as this might put the whole home network of the user in danger of intrusion.
Some further principles to bear in mind:
- Limit access to control devices
Make it harder for intruders to control the devices.
- Protect information
Use encrypted end-to-end security and connect each device directly to the cloud via TLS or similarly encrypted links.
- Keep your system updated
Release regular patches and inform your customer about their importance
One bad apple (no pun intended)
Door locks, heating systems, fridges and kitchen appliances are not dangerous by themselves, but it’s a different story when connected. Just one weak spot in one appliance could expose an entire home network to unwanted intruders.
One vulnerable device is all it takes. Make sure it’s not yours