Security for the Smart Home
by David West
This article is the first in a two-part series.
As smart home technology moves from the lab to the marketplace, many home automation devices are now exposed to the Internet through gateways and management systems. Are these systems ready for the ensuing cyber attacks that will undoubtedly ensue? And who is responsible for ensuring these devices are safe from attack?
The security challenge for the smart home, with its network of specialized, connected devices is different than the security challenges for enterprise networks and PC systems.
A few of the factors making smart home security unique are:
- Smart home devices are frequently fixed function devices. Once they are shipped, they cannot be upgraded to add security after the fact.
- Smart home devices are special purpose devices, not general purpose devices like PCs or servers. As a result, they require special purpose security solutions completely different from a PC.
- Smart home devices may run small footprint real-time operating systems such as VxWorks or INTEGRITY and cannot run security solutions designed for Windows or Linux based systems. Some devices may have no operating system at all.
- Once deployed, the devices are more difficult to update. In this case, the update would consist of implementing security features ignored during their design. It is unlikely the end user can add security features unless the device manufacturer provides an upgrade. The end user cannot buy security software from a third party and install it on the devices.
- There is no one to manage security within the home.
Since the homeowner using smart home devices cannot install security software onto the device, the responsibility for security falls squarely onto the shoulders of the OEMs who build the device. Security for embedded devices must be designed into the device itself. All too often, however, OEMs push off the responsibility for the security of the device to the operating system vendor. They argue the operating system is responsible for the security of the device. Or even worse, security is not a requirement and provides no competitive advantage and therefore can safely be ignored.
Security is clearly a requirement for the smart home. The smart home may now include home video surveillance systems, health monitoring systems, environmental controls, and home security systems all remotely accessible. These systems must be protected from network-based attacks.
A recent article from Forbes outlines several attacks against smart homes1. The attacks include remotely controlling lights and TVs, turning on a hot tub water heater, and opening the garage door. In some cases, the smart home HUB or control system did not require a password, leaving them wide open to hackers. Some devices openly provide the WiFi password in clear text. Other reported hacks include remotely flushing toilets, streaming video from Internet camera systems, and unlocking doors. The implications are obvious.
David West is the Director of Engineering for Icon Labs.