Smart  Homes  &

Security  Risks

Gregory  Grin  -­ 2015

3

Swisscom  Smart  Living

4

The  more  we  transform  our  life  in  a  digital  life,  the  more  intimate  information  is  potentially  available

But,  this  is  not  a  new  situation.  This  is  already  the  case  in  a  “non-­digital” life…

And  we  take  measures  to  protect  ourselves

There  is  no  reason  to  not  do  the  same  in  our  digital  life  and  while  using  Smart  Home  solutions

It  looks  like  there  is  a  Digital  Paranoia  trend  nowadays

Proposed  approach  while  considering  Smart  Home  solutions  for  your  house:  A  Healthy  Digital  Paranoia

1. Physical  Access

2. Wi-­Fi

3. Passwords

4. Cloud  vs.  local

5. Connectivity  within  the  Smart  Home  System

6. Interface

7. Systems  with  preventive  measures

8. Firmware

“Please  destroy  all  my  smart  home  system,  all  my  home  automation  &  comfort,  as  well  as  all  my  rainy  Saturday  afternoons  spent  at  configuring   it  and  making  it  work…”

The  so  called  “Hammer   Invitation”

Consider  locking  your  Ethernet  sockets    

Secure  your  Wi-­Fi  network

1. Don’t  stay  with  the  default  settings  (there  is  a  hacker  public  database  with  them)

2. Create  a  long  complex  password  chain  and  do  not  hide  it  on  a  sticker  under  the  router…

3. Don’t  use  your  name,  home  address  or  other  personal  information  in  the  SSID  name

4. Enable  the  highest  level  of  network  encryption,  and  use  a  Smart  Home  system  that  supports  it

5. Consider  MAC  address  filtering

6. Potentially  reduce  the  range  of  your  Wi-­Fi  network

7. Upgrade  your  router  Firmware

8. Consider  a  separate  home  network  for  your  smarthome  installation

Passwords

§ Don’t  stay  with  the  default  settings  of  your  Smart  Home  system

§ Create  long  and  complex  passwords for  your  Smart  Home  devices

§ Don’t  use  the  same  password  everywhere

§ If  you  are  afraid  to  forget  your  passwords,  use  a  password  management  tool

Cloud  vs.  local

§ Consider  a  Smart  Home  system  with  which  you  can  specify  what  you  want  to  be  on  the  cloud  and  what  you  want  to  keep  local  for  privacy  reasons

§ Local  /  cloud  duplication  is  also  an  interesting  feature  from  a  security  point  of  view  but  not  only

§ How  is  the  communication  between  the  cloud  and  the  Smart  Home  System  handled?  Https?  With  a  trusted  certificate?  With  mutual  SSL  authentication?  With  an  additional  level  of  encryption?  

§ Where  is  the  cloud?  Is  it  hosted  in  a  serious  place  that  would  resist  to  attacks?

§ Does  your  system  providea  standalone  option  withoutinternet  and  cloud?

Connectivity  within  the  Smart  Home  System

§ How  do  the  sensors  communicate  to  the  outside  or  to  a  Smart  Home  Gateway?

§ Is  it  possible  to  use  a  mix  of  wireless  and  wired  connections?

§ Does  the  system  use  standards  (KNX,  Z-­Wave,  Dect,…)  that  enforce  a  reasonable  level  of  security  and  encryption?

Interface

§ Does  your  system  require  to  change  any  default  password  at  start?

§ Does  it  allow  and  encourage  the  use  of  strong  password  (>=8  characters,  upper  case,  symbols,  numbers)

§ No  hard-­coded  password  is  used

§ How  does  the  interface  react  after  multiple  attempt  of  login  with  wrong  password?  (brut  force  attack)

§ How  does  automatic  login  work?  

§ Is  it  possible  to  disable  features  that  are  not  being  used?

§ Is  the  web  interface  secured  from  bugslisted  in  the  OWASP  top  ten  vulnerabilities?

§ Can  you  modify  privacy  and  securitysettings?

§ Is  there  a  privacy  mode?  How  does  it  work?

System  with  preventive  measures

§ Does  your  system  react  to  jamming?  How?

§ Does  your  system  react  to  network  and  Wi-­Fi   failure?  How?

§ Does  your  system  send  you  notifications  when   it  changes  of  state?

§ How  does  your  system  restart  and  reacts  when   there  is  an  outage?  

§ Is  there  a  fail-­safe  mode?

§ How  does  the  system/devicereact  to  tempering?

§ Does   the  system  requireuser’s  approval   to  enter  inmaintenance  mode?

Firmware

§ Is  there  a  simple  and  secured  update  process?

§ Are  firmware  upgrades  of  the  devices  signed  and  encrypted?

§ Can  firmware  upgrades  be  controlled   by  users?

§ How  does  the  system  react  in  terms  of  unrequested  firmware  upgrades?

Conclusion

§ Unfortunately,  it  is  difficult  for  users  to  secure  their  Smart  Home  themselves,  as  most  systems  do  not  provide  a  secure  mode  of  operation

§ Nonetheless,  there  are  advices  to  follow  that  reduce  the  risk  of  attacks

Thank  you!

Gregory  Grin  -­ 2015