It’s All Fun and Games…Until Your “Smart” Home Gets Hacked
A year ago, we bought a fixer-upper well below market value. We knew that we would have the opportunity to make some investment in smart tech. When Amazon sent a Smart Home Consultant to our house, they said we were farther ahead than most of the people they met with. I was trying to get them to help me make my lights flash blue and green when the Seahawks NFL team scored a touchdown. We’ve since solved that problem, and along the way, we had to take many important security measures.
The Snoo became our primary concern. Snoo Smart Crib is what we call the “magic knockout crib” for our newborn child. It connects to the Wi-Fi, then logs into the cloud, and based on the intensity and crying of our baby, it shushes, swaddles, shakes, or makes heartbeat sounds until she calms and falls back asleep, It listens to her and makes white noise, and can increase to the sound she would hear inside the womb with an internal heartbeat. If baby doesn’t comfort, it sends an alert to our smartphones that we may need to feed or change the baby. The first thing I wanted to do was hack it so I could make it sound like my car shifting gears and see what kinds of vulnerabilities this might have as a listening device and potential two-way communication. Since it was directly in the baby bassinet, I was concerned. What if hackers started doing rotten things to our Snoo?
A number of years back, we invested in a Unified Threat Manager (UTM) for home. Because speed, performance and ease of use was key, we actually have a commercial, enterprise-grade Next Gen Firewall or UTM. Having Intrusion Prevention Systems, Inline Antivirus, Desktop Endpoint Protection, SSL VPN, QOS for our VOIP system, Advanced Filtering (web and content), it all seemed like a lot to take into the home. After a while, we’ve found use for so many of the features and will continue to use these features as our child grows. The ability to censor the internet for our children to protect them from things we don’t want them to see is fantastic. Central Antivirus for the family with inline IPS is great. For the camera systems, being able to have a Web Application Firewall and brute force protection is valuable, especially considering the Mirai botnet is mostly IP Cameras.
[You might also like: From BrickerBot to Phlashing, Predictions for Next-Level IoT Attacks.]
Next we invested in more of the smart things, so almost every light in the house is a smart light bulb. With an app on the phone, Apple Home Kit, Siri, Alexa and If This Then That (IFTTT), we were able to build a large Zigbee Mesh network. All of the lights act as repeaters for the Zigbee wireless transmission. So the “Man Cave” (my office in the yard) is properly named as such. When the lock gets unlocked, it sends a signal to the digital smart lock system to IFTTT, which tells it to turn on the “Man Cave Light Group”. This is the same for the front door: unlock the front door, and the lights come on in the front room. Alexa (Amazon Echo) is around the house, so “Alexa, turn on kitchen light” is the way the lights go on in the kitchen. With IFTTT, we did some integration to have Alexa flash lights when the timer is over. “Alexa, set timer for 10 minutes” results in the kitchen lights flashing when the timer is done and our food is ready.
With smart smoke detectors, we were able to change the colors of the lights, or flash the lights in the house if smoke or carbon monoxide is detected, as well as make audio alarms run all over the home. We can have the system send alerts to text messages, or have the app put alerts onto the phone directly, and this allows me to know if there’s a problem at the home. All of the integrations for this can tie into the smart alarm systems as well, so a monitoring company can also know if you’ve got an issue at the house. One of the things that really was frustrating with the smoke detectors was that I wanted the motion alarm on them to trigger events. They have lights that you can program, so they become motion-sensing night lights. I wanted to set them up so that on motion (near the stairs), the color light strip going down the stairway would turn on for five minutes. They have triggers for smoke detection, but no API extension for the motion. So, I had to punt, and programmed at dusk, to turn on the stairs lights and at dawn, turn them off.
Many of the new smart alarms today have ZigBee wireless, so you can integrate motion sensing cameras, water leak detectors, glass break sensors, etc. The better systems have integration directly with a number of smart home systems, so that should you decide to start programming your smart home, you’ll have an easier path. One of the things that I’ve yet to see is a wave of new “smart home” tech integrators that will know the answers to many of your questions. For now, it seems, a lot of it is market adoption for smart devices and smart things, and a few of the tech giants are starting to build their ecosystems. Amazon, Apple, and Google are some of the leaders in the automation space today and many more are going to be coming.
One of the things we have not done (yet) is investing in smart blinds for the windows. When the sun comes up, the blinds can start to let natural light into the rooms you choose. This can be very cost-effective for heating and cooling if you do it right. The idea of being able to say “Alexa, open living room blinds” and having them all move is exciting to me. Currently, for the system we want, it’s a little cost prohibitive, so we may wait for more competitors to hit the market.
[You might also like: IoT Threats: Whose problem is it?]
The most important thing we’ve done along the way is to make certain that we are aware of what and where the connections are going. As a security person, these systems can be very vulnerable. Consumer-based products tend to not get patched frequently. All of the firewall, IPS, and WAF rules for every system might seem a bit overkill, but it would not be funny if my printer was the cause of a full “HomePocalypse” hacking meltdown. For devices like our SCADA network (solar and electrical grid), it has no need to talk to my lights or alarm, so it got its own DMZ and rules. The cool factor was being able to get a unique view of the solar eclipse this year, from a solar panel’s perspective on a smart phone:
When I think about how to penetration test my network, I look at the threat surfaces. Can I break into the cameras, can I break into the cloud accounts, can I poison the smart TV, can I wirelessly attack the network? For the cameras, my strategy was simple: VPN in and then access them. That proved to be more difficult for everyone to use. So, moving to the next phase: use high ephemeral ports instead of well-known ports, and use brute force protection, Web Application Firewall, Server Cracking Protection, inline IPS signatures, and use VERY strong passwords like “FrostAndSullivan2017Winner!!!” for an admin username that is no longer “admin.” This will shut down most botnets attempting to log into the cameras. Is it impossible to break in? No, but it’s going to be very expensive to accomplish it, and there’ are easier attack surfaces. The Wi-Fi uses full active defense with spare radios being used for scanning for nearby attackers. Passwords are 30-40 characters long.
In a way, we planned this out as if we were responsible corporate Security Engineers. Not everyone today is going to have the time, knowledge, or resources to do this, and this is why the IoT has been such a threat. Home automation and the Internet of Things is fantastic and very fun. Playing Security Engineer at home can also be fun, but this is mandatory if you want to sleep well at night about having so many smart things in your home.