2013-08-12

Co.Labs

3 Ways Hackers Will Invade Your Smart Home

A totally connected smart home is every geek's fantasy, but each device you add gives hackers another attack vector. Are we prepared to defend our homes not from petty burglars, but from sophisticated online hackers?



You can probably trace the dream of the connected “smart” home back to when The Jetsons first aired in the 1960s. Ever since then most of us have wanted a house we could control with a few taps or even just our voice.

“Lights on.” “Open door.” “Run the bath.”

It’s now 2013, and that smart home is moving ever faster towards being the norm. After all, we have Nest thermostats and CubeSensors and smart TVs and Philips Hue lights to play with. We’re practically living in the Jetson's world, sans flying cars.

But there’s one thing the pastel-hued world of The Jetsons never dealt with (because, well, it was a children’s cartoon): security. In a world where everything in our house is smart, security can’t only consist of locking the door and switching on the alarm to protect our valuables and ourselves.

To show you what I mean, here are three disturbing proof-of-concept attacks that have happened on smart houses recently.

The Hacked Toilet

Yeah, that sounds like a bad joke, but a toilet has actually been hacked (hey, if a physical house key can be hacked, anything can now, right?). As Sean Gallagher writes for Ars Technica, the information security firm Trustwave found security vulnerabilities in a popular Bluetooth smart toilet on sale in Japan called the Inax Satis automatic toilet:

Functions of the Satis--including the raising and lowering of its lid and operation of its bidet and flushing nozzles--can be remotely controlled from an Android application called "My Satis" over a Bluetooth connection. But the Bluetooth PIN to pair with the toilet—"0000"—is hard-coded into the app. "As such, any person using the 'My Satis' application can control any Satis toilet," the security advisory noted. "An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, [or] activate bidet or air-dry functions, causing discomfort or distress to user."

Extra flushes = higher water bills. Talk about flushing money down the toilet.

The Hacked TV

I can’t wait for truly smart televisions. I say that because many of the smart TVs on the market now are just modified Linux boxes with a front-facing camera, Internet connectivity, and a mediocre operating system. As this next example proves, no TV should be able to call itself “smart” unless it’s absolutely secure.

Samsung, one of the most popular makers of “smart” TVs, got schooled earlier this summer when two hackers from security firm iSEC Partners were able to inject JavaScript into the smart TV’s browser and some of its apps, including Skype. They even managed to turn on the front-facing television camera without the home user’s knowledge, which enabled them to watch live video of everything the smart TV’s camera saw and record still images from the video feed. Because the TV camera had no indicator light, the users at home had no way of knowing it was active. As Chenda Ngak writes for CBS News:

Grattafiori said that they tested their exploit on Samsung Smart TVs because they offer the most features, which create more of an opportunity to find security flaws..."They could actually either see live, streaming video into your home or office or to take still camera shots of you," Grattafiori said about potential hackers. "There's no physical indicator, nor visual indicator, that you'd be able to know your camera was on or taking pictures of you."

Take a moment to think about where you put your TVs: In your living room where your children watch their favorite shows, in your kitchen where you make breakfast in your pajamas, and in your bedroom where you and your partner sleep. What happens to your sense of privacy knowing anyone could be watching you and your family at any moment?

The Hacked...Everything

The hacked toilet? Kinda funny. The hacked smart TV camera? Creepy. The hacked EVERYTHING IN YOUR HOUSE? Scary as hell.

That’s just what Kashmir Hill of Forbes was able to do to eight houses running a home automation software package from a company called Insteon. As Hill writes:

Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines--meaning they show up in search results--and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.

Now, thankfully Hill was not a nefarious hacker (and actually was nice enough to call all the houses beforehand and get permission from the owners for her to try to turn off their lights remotely), but the ease at which she could do all this sets the stage for some serious discussion about security in the future.

We all know that it’s important to secure our laptops, iPhones, and tablets as best we can from potential attacks. We do this predominantly through usernames and passwords and anti-virus software. But as the three examples above show, when the smart house becomes ubiquitous, we’ll have to start securing it in ways we’ve never had to before, changing our idea of what a “house” is in the process.

No longer will a house be just a place with four walls, a roof, and a door that can be secured with a key and an alarm system. When we have truly smart houses, we’ll be living inside of a computer and we will have to learn to think of our houses as such.

Just as we don’t secure our computers with a lock and key, we’ll have to learn to secure our homes against digital attacks as well as physical ones using tools like firewalls, passwords, and biometric verification systems. If we don’t, our homes could go from being our own personal safe havens to zoos where a hacker can see everything we’re doing and control all the switches in our cages.

[Image: Flickr user Andrew Magill]