Safer Smart Homes

By on Oct 6, 2016 in Technology

The Internet-of-Things promises convenience and efficiency, but without security protocols, any connected home could end up the victim of hackers and other cyber-crime.

Is your refrigerator running?smarthouse

No, this isn’t some rehash of a preteen prank-call; thanks to Smart Homes, it’s now a legitimate concern. While “the internet of things” promises to liberate us from the toil of monitoring our residential lighting and free us to manage appliances from the comfort of our smart phones, this convenience is not without risk. As a recent article in Wired points out, all those residential Wi-Fi connections have enabled “a new breed of over-the-internet attacks,” and Smart Homes are easy pickings for all manner of cyber-criminals.

Connected and Vulnerable

The ability of hackers to remotely access internet connected devices has plagued public utilities and healthcare providers quite a bit in recent years. In 2011, Russian hackers accessed the pump system of a Springfield, Illinois water utility, stealing users’ names and destroying a water pump. Earlier this year, ransomware knocked out the internal computer at the Lansing Board of Water and Light after an employee opened an email attachment. And the attacks are only increasing in volume and severity, trigger many security experts to raise the alarm and call for more stringent security systems.

As Malwarebytes security researcher Jérôme Segura recently mused when considering the dangers of ransomware, “One can imagine how detrimental it would be if someone was in the middle of a major operation and suddenly all of their health records became unavailable.”

In fact, the concern about Smart Home vulnerability is not theoretical. In May of this year, Cybersecurity researchers at the University of Michigan unlocked the front door of a Smart Home using specially developed “lock-pick” malware. By exploiting “over-privilege” – a security loophole generated from SmartApps overly generous access protocols – the University researchers used a flaw in-app authentication to essentially create their own spare key. The researchers also marshalled the stream of messages programmed to manage connected devices to manipulate settings and even turn off a fire alarm.

“The bottom line is that it’s not easy to secure these systems,” explained Atul Prakash, U-M professor of computer science and engineering to the university newspaper. “There are multiple layers in the software stack, and we found vulnerabilities across them, making fixes difficult.”

“One way to think about it is if you’d hand over control of the connected devices in your home to someone you don’t trust,” he continued. “Then imagine the worst they could do with that and consider whether you’re okay with someone having that level of control.”

Hiding in Plain Sight

Most Smart Home set-ups require users to override firewalls and allow public access to their in-home internet. Additionally, Smart Home apps often require the use public an IP address, which anyone to find the home’s devices online – a seductive opportunity for many cyber-criminals.

“Just having a public IP presence for anything opens up so many possibilities,” Guardian Project director Nathan Freitas told Wired. “If a device can be discovered, its vulnerability then depends on the manufacturer’s attention to security.”

“When you’re talking about a light bulb from China, you don’t want to rely on that.”

The non-profit Guardian Project focuses on promoting internet privacy. As part of a partnership with the Tor Project, which provides the Tor anonymity network, the Guardian Project has developed a network protection device using Tor encryption to secure connected homes and devices. While Tor has been used primarily to protect content pirates and other criminal activity, plenty of users take advantage of Tor’s protections to safeguard critical online communications and confidential tasks.

The Guardian Project’s system relies on a Raspberry PI mini-computer to create a smart hub using HomeAssistant, an open-source software that works through Tor’s hidden service. Nestling a smart home within layers of anonymity not only removes the vulnerabilities inherent in using a public IP; it keeps smart homes safe from digital attacks.

“All we did was pull these pieces together to demonstrate a proof-of-concept for the role Tor can play in your home,” says Freitas, who’s also a fellow at Harvard’s Berkman Klein Center for Internet and Society. “It’s turning your Internet-of-things hub into a hidden service.”

Security through Authentication

The Guardian Project not only hides a smart home from the internet’s prying eyes, it also creates an extra level of protection through authentication. By downloading a “cookie” specifically configured to each individual smart home, only specific device can access the system.

“If you add authentication, only people with this cookie can even connect to” your smart home hub,” explains Freitas. “Without it, Tor doesn’t even let you route to that service.”

The extra step is not necessarily easy or intuitive; Tor project executive director Shari Steele calls the configuration an “early but important milestone” for smart home security.

So far, the Guardian Project prototype has been tested on both a desktop using TorBrowser and through the Android Tor app Orbot. Though not particularly user-friendly, Tor developers home this first foray into smart home security will inspire commercial providers, like Samsung SmartThings, Google Home and Apple’s Homekit, to use Tor’s tech in future security innovations.

“The Tor Project wants Tor privacy technology to be integrated into everyday life,” Steele writes in a statement to WIRED, so that “privacy and security are built in.”