As a growing number of Internet-connected home appliances hit the market, David Bryan and Daniel Crowley worry that digital ne’er-do-wells will get new ways to take control of these devices, unlocking your house, running up your heating bill, flushing your toilet—or worse—from afar.
Bryan and Crowley, both security researchers at Trustwave Holdings, have been trying to sound this alarm since they heard about the Lockitron, a $179 gadget designed to fit on a standard deadbolt and allow you to lock or unlock your home from your smartphone. At the time, the device had not yet begun shipping to customers, but it piqued Bryan and Crowley’s curiosity. They figured they’d try out other “smart” devices while they were at it, and over the past several months they’ve found that nearly all of them, including lights, a scale, and a toilet, had significant security shortcomings.
Their findings highlight a potential problem with the so-called “Internet of Things” and the new class of Internet-connected home products that you can monitor and manage remotely. These devices offer convenience and potential energy savings and sometimes just novelty (see “Home Tweet Home: A House with Its Own Voice on Twitter”). According to data from ABI Research, there are already more than 10 billion wirelessly connected devices in use, and by 2020 there will be more than 30 billion of them. While “hub” devices like smartphones and laptops make up most of this total today, the market researcher expects this will shift in favor of cheap sensors and node devices that make up the Internet of Things.
Yet as we connect more and more devices to the Internet, everything from the thermostat to the toilet to the front door itself may create a potential new opening for electronic intruders. As with computers, there are ways to protect these devices from outsiders, but Crowley and Bryan’s experiences indicate that, for now at least, this isn’t always a primary concern for companies in a rush to sell this equipment. Making devices more secure can add time to product development.
“It varies from device to device, but a common thread with a lot of these devices is they don’t require any authentication at all,” Crowley says.
For example, Crowley and Bryan examined the Veralight, which plugs into your home computer network and allows you to control and manage many types of household appliances. By default, it required no username or password to access the system, and they say they found numerous ways to bypass authentication even when it was turned on. More recently, Crowley and Bryan discovered how easily one could get a music-playing toilet called the Satis, which is controlled by an Android smartphone app, to flush itself repeatedly or play loud music. They recently discussed their findings at the annual Black Hat security conference in Las Vegas.
Crowley and Bryan say they’ve contacted each company whose products they believe have security flaws. Mostly, they’ve gotten no direct response. In a statement, the maker of the Veralight, Hong Kong-based Mi Casa Verde, said it believes its controllers “are as secure or more secure than any of the home automation products on the market today.” Lixel, the Japanese company behind the networked toilet, said in a statement that there are “several necessary conditions” that must be met to control the toilet remotely, such as pairing a smartphone with the toilet, which must be done with a separate unit that comes with the Satis.
Security researchers fear that the risks presented by these new types of gadgets are especially concerning. If hackers can exploit a weakness in a single type of Internet-connected home appliance or system—such as an Internet-connected door lock—they may be able to harm thousands of people at once. “It might be some effort to get this kind of scenario, but if breaking into one server means you get to ransack 100, 1,000, 10,000 people’s homes, that’s definitely worth it, and that’s where the real danger lies,” Crowley says.
Yoshi Kohno, an associate professor at the University of Washington who studies computer security and privacy in consumer technologies, says it’s hard to know exactly how big a problem this will be. But he has found “real vulnerabilities” in several Internet-connected things including cars, medical devices, and children’s toys. A toy that includes a webcam, for instance, could allow an online attacker to connect to the toy and turn on the webcam. “We as a community need to look holistically at all the emerging technologies and not just say, ‘Oh, it’s a toaster, it doesn’t matter,’ and think that everything matters until we believe that it doesn’t,” he says.
Kohno says he’d need to see more of an emphasis placed on security before he’d feel comfortable using most of the currently available connected-home gadgets: lights that can be controlled over the Web may be okay, but an automated door lock, for example, would still be out of the question.
Even with security measures in place, there’s also potential for electronic eavesdropping, says Kamin Whitehouse, an associate professor at the University of Virginia who studies smart buildings. His research has shown that even if data traffic from wireless smart devices in the home is encrypted, an attacker can still analyze network traffic patterns and, by making a few assumptions about human behavior, get an idea of what’s going on inside the house. “Once the house starts becoming fully connected, there’s no reason to think that it won’t become a target,” he says.
For their part, Crowley and Bryan are optimistic that this will change. The smartphone-controlled door lock that first intrigued them recently began shipping to customers and offers security details and an e-mail contact for security-related questions. That’s an indication that Apigy, the company behind Lockitron, is focused on the issue, Crowley says. “That is big. It says something good about the state of security in that product,” he says. “It means we’ll probably have a tough time breaking it.”