Make Your Home Smart and Secure
Want to learn more about how to make your smart home secure? Check out this post where we take a look at what you can do to implement safe smart home devices.
Join the DZone community and get the full member experience.Join For Free
“Smart but insecure” sounds like you’re talking about a high achiever who needs therapy.
Which you could be. But in the online world, it applies to semi-animate objects — the hundreds of millions of devices in American homes that are, at one level, smart.
They range from thermostats to appliances, like ovens and refrigerators, to TVs, kids’ toys, vacuums, speakers, light bulbs, security cameras, baby monitors, door and window locks, plugs and switches, smoke detectors, and, of course, your virtual assistant — all controllable through your voice or, yes, those other smart things — your phone or other computing device.
They offer the almost magical convenience of responding to remote commands, warning you when something is wrong or about to go wrong, or just letting you know when you are running low on milk.
But most are also notoriously insecure, vulnerable to hackers, and in need of their own kind of therapy, which, in this case, is software that is not riddled with vulnerabilities that, often times, can’t even be patched.
Since it is National Cybersecurity Awareness Month, it would be good to start in the home, where you should be aware of the scale of the problem, aware that it is not going to be fixed by government or the private sector anytime soon, and aware of what you can and should be doing to make sure you don’t sacrifice security for convenience.
Smart Homes Are Terrifyingly Insecure
The problem is both massive and pervasive. Numerous studies confirm what is frequently called the “terrifying” reality that virtually all smart home devices, including extra-sensitive ones like baby monitors and “hubs” that control multiple devices, can be easily hacked.
One of the more recent reports comes from a team at Ben-Gurion University, which demonstrated earlier this year that most of these devices could be compromised in less than 30 minutes, simply by doing a Google search of the brand and tracking down the default factory-set passwords.
“It is truly frightening how easily a criminal, voyeur, or pedophile can take over these devices,” said Yossi Oren, one of the report’s researchers, which is also, sadly, nothing new.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices.”
—Yossi Oren, assistant professor, Department of Software and Information Systems, Ben-Gurion University
Almost five years ago, following a conference on the Internet of Things (IoT) hosted by the Federal Trade Commission (FTC), panelist Craig Heffner said the biggest reason for such a lack of security is that “people don’t make purchasing decisions based on the security of a product. They do it based on the product’s features, looks, and price.” Heffner, a vulnerability researcher with Tactical Network Solutions, asked, “Why in the world would a company spend time and money on something that users don’t care about and will never see?”
No Relief From Industry or Government
Heffner’s 2013 assessment of the state of the industry is, apparently, still the case. And as is obvious, a hacker getting control of your door locks, your garage doors, or your security cameras can put you and your family at physical risk, a problem much worse than needing to get a new credit card.
It will also likely be the case for some time. While there have been various legislative efforts and calls for mandatory software security standards, the industry remains essentially unregulated.
“Why in the world would a company spend time and money on something that users don’t care about and will never see?”
—Craig Heffner, vulnerability researcher, Tactical Network Solutions
Among those efforts is a bill co-sponsored a year ago by Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., titled the Cyber Shield Act of 2017, that would launch “a program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.”
But, it would be voluntary. And so far, while there was one hearing on it this past April, it hasn’t even made it out of the Committee on Commerce, Science, and Transportation, nevermind to the floor of either chamber.
How to Secure Your Smart Home
All of this means is that if you want to avoid having your smart home put your privacy and physical security at risk, it’s kind of up to you to take measures that keep you from becoming, as they say in the security industry, “low-hanging fruit.”
And, there are things you can and should do. You don’t have to be a techie either — you just have to invest some time and maybe some money. These are essentially security basics. With thanks to Larry Trowell, principal consultant, and Ofer Maor, product marketing director, both of Synopsys, and Craig Spiezle, managing director Agelight Advisory Group, here is a brief list of measures that are still voluntary, but probably shouldn’t be:
Don’t Use Default Passwords
Beyond that, use unique passwords and usernames. “The answer is not longer or more cryptic passwords,” Spiezle said. “The problem is the reuse. Each password shouldn’t be used for anything else. And, don’t make your username something obvious, like your name or your first initial and last name.”
Use a Next-Generation Firewall (NGFW)
No, they are not bulletproof, but neither is the lock on your home, which still has considerable value in blocking, or at least slowing down someone hostile trying to get in.
Create a Second Guest Network for Your Smart Devices
Trowell notes that a number of routers offer that option.
And Maor said, given the reality that most home networks will be breached in some way — if not from a targeted attack, then an automated one — this is the best way to limit access to everything in the home.
“I run my home on multiple network segments,” he said. “There is my ‘office’ network with the laptops, NAS, and all the important sensitive parts of my home. There is my ‘Home IoT’ network, which holds most of the IoT devices. This limits a breach — if one of my IoT devices gets hacked, the hacker may be able to propagate from it to other IoT devices but will not be able to reach my laptop or my sensitive data,” he said.
Update Router Firmware
Most routers are notoriously insecure, but even better ones can be breached. And as Trowell noted, routers “are statistically more likely to be the entry point.”
Updates are not nearly as well-publicized as product recalls, but they can be just as crucial. It’s good to get into the habit of checking regularly to see if any are available.
It’s also worth checking on whether your vendor has released a new, more secure model. “Comcast doesn’t tell you that they have a new router available unless you ask,” Spiezle said.
Keep an Inventory
Especially when homeowners add one device at a time, it can be easy to lose track of one or more of them. As security experts have been saying for years, you can’t secure what you don’t even know you have. Also, adding devices incrementally may seem gradual, but it can increase complexity exponentially.
Consider Device Management Services
“They’re like a password manager,” Spiezle said. “They provide a dashboard with an API (application programming interface) that connects with all the devices in your home.”
Consider a UTM (Unified Threat Management) Appliance
They can be pricey, but most include functions like antivirus, antispyware, antispam, network firewall, intrusion detection and prevention, content filtering, and leak prevention. Some also provide VPN (virtual private network) support.
Yes, this all takes time and, in some cases, money. But look at it this way — if you can afford the devices, can you afford to not secure them? By doing so, you’re securing yourself.
Security starts with awareness. Be aware.
The original version of this article was published in Forbes.
Published at DZone with permission of Taylor Armerding, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.