Hackers in the house

26 October 2016

Over the past week, one of the biggest-ever cyber-attacks has affected Spotify, Netflix, Amazon and Twitter. And the standout feature of this attack was that criminal hackers misused millions of Internet-enabled home appliances to mount it. The vulnerabilities of Smart Home technology, and what manufacturers need to change in the future.

Anyone who wanted to watch a movie on Netflix, listen to music on Spotify, shop on Amazon, or send tweets late last week had to find other things to do for several hours in the United States, parts of Europe and Japan. Dyn, a company that administers Internet domains, including those of Spotify and friends, was paralysed by a distributed denial-of-service (DDoS) attack - the direction of huge amounts of traffic to a server, overwhelming it to the point of collapse. An attack on a provider like Dyn has far-reaching consequences: The company provides domain name systems (DNS), which translate Web addresses, such as www.tuev-nord.de, into IP addresses, thereby enabling communication between computers and Internet servers. With a system overload, the websites and the entire host are either completely inaccessible or very difficult to reach. And the special feature of the recent cyber-attack was this: It made use of Internet-enabled domestic devices such as baby monitors, cameras, printers and TV hard-drive receivers. For data journalist Marco Maas, the cyber-attack came as no surprise: “The theory behind this attack isn’t really new. The possibilities were discussed more than ten years ago at the annual meeting of the Chaos Computer Club - as were the problems that are now causing them, by the way.”

There’s never any shortage of critical voices when it comes to the security of smart home products. Particularly with lower-cost devices, the security that protects them is often less than satisfactory. Johannes Hoffmann, expert in IT security at TÜViT: “One major problem is insecure or default passwords and access data, which make the work of hackers easier. The fact that there are often no regular updates to eliminate security vulnerabilities in smart-home devices represents a serious weakness.”

The Federal Agency for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik - BSI) is calling on the networked device manufacturers to improve security standards. It should be possible for the user to change default access data and passwords. Moreover, the manufacturers should provide regular and fast security updates. Marco Maas, who, as a journalistic project, has converted his apartment into a ‘sensor residence’ with 120 networked smart home devices, explains: “At the moment it’s marketing which drives the launch of products. Security isn’t uppermost in people’s thoughts; the focus is on the product’s functions. And what’s more, all the manufacturers are in a kind of Wild West free-for-all right now. It’s all about being the first to stake a claim and get into users’ houses.”

The increasing networking of individual components and systems in areas such as smart homes and mobility is giving rise to potential threat scenarios. A development that TÜV NORD, too, is responding to: after all, IT security is becoming increasingly important in all areas. This applies to lifts, vehicles and medical products just as much as it does to toys. Under the banner of Security4Safety, TÜV NORD is offering comprehensive risk management for Industry 4.0.

And risk management is also something being attended to by home expert Marco Maas. His apartment is not going to feature any cameras, nor does he want the front door to become ‘smart’ in the foreseeable future. “If I didn’t see my ‘sensor residence’ as a journalistic project, I would store less data in the various manufacturer clouds and place my trust more in home-made solutions.” As far as the technology goes, he uses separate networks in his apartment - one exclusively for smart devices, one for his trusted computers, and another for guests. Maas can also use the central router to control which ports should be accessible from the outside. “At least that’s one way of making life harder for intruders,” says Maas.

How can consumers tell that a smart-home device is ‘secure’? “Basically, they can’t,” says Maas. But the Internet-of-Things scanner from Internet security company BullGuard can at least offer some initial pointers. The scanner detects open ports on individual smart-home devices and alerts users to potential vulnerabilities. In most cases, the owners of the devices don’t notice hacker attacks. Nor has the Hamburg-based data journalist been able to identify any cyber-attacks on his apartment to date. “I’m waiting for something to happen to me and I hope that I’ll be able to track it down and bring it to public attention.”