2

I am preparing to make my home smarter and for some reasons I am not happy.

I read several articles about secure the smart home, but there was no clear solution. I don't know why, but it seems that many products are inadequate (security concerning). Many products are messaging outside and I want to know how to control that.

Why not simply put a box in front of all to go outside and watch the traffic? Which leads me to the question: Which gateways do I have to open?

Aurora0001
  • 18,520
  • 13
  • 55
  • 169
Spedo De La Rossa
  • 39
  • 1

2 Answers2

8

There are many questions in your question, maybe more than you want, but I will give it a try.

Why is there a lack of security in many IoT products?

There are two reasons:

  1. New companies on the market without know-how.

  2. "Each cent counts"

    1. There are many new companies on the market. They are developing toothbrushes, hairbrushes, bulbs and so on with the target: Internet of Things and bring it on to the consumer. So let's say we have an intelligent hairbrush from L'Oreal (yes, this is real shit). They say okay, lets make a hairbrush and an app because the boys and girls should know all about their hair. But the hairbrush has to cost at most $15. Sorry bro, no money for security. And furthermore these companies are not Microsoft, Google or the like which have years of security engineering and good engineers.

    2. As I said above, this goes hand in hand. You need to sell the hairbrush. Apart from that, that I don't need it, the target is that people buy it. And the main factor is the price. When the company is talking about the price, there is no place for security in hairbrushes. Main focus on production, marketing, ... Others than for example, when Lenovo is producing a notebook.

How to secure my "Smart Home"?

You need to know: You will have many protocols, you will have many gateways and many products are insecure. Furthermore they want access to the internet. Of course, there are products on the market which do not need an internet connection. I recommend those, but be aware that you think of the next step: How to update? Do they want, that I update it manually?

There are so many insecure things in the internet. A few month ago someone wrote a script with about 100 standard credentials and had one million IoT in a very short time.

Of course you can put a box in front and watch the traffic. If you have the time, but this cannot be the solution for all consumers. This brings me to the next point.

For a better security in your smart home you need to tell us which things you are using. There are products with telnet access, standard passwords and so on, that it is hard to say, how to make it secure.

Just don't message to the internet from your smart home?

Sounds good, but is not really possible. It is pretty simple: A company wants the data to sell it or to inform other companies. That means you need to create an account for your new IoT product and without that account and the connection the IoT product is not working. "I don't care what they should do with my data". Often heard, but the cases, where this is misused are increasing.

That can be good [future scenario]: For example a hospital knew which drugs you need. That can be bad: The insurance will ask you: Why you didn't take the drugs on 7a.m.? We pay nothing.

Are we as consumer responsible for anything?

Back to the security. Are we? Certifications, validations, encryption ... don't even really exist. DDoSing, the bad things of IoT. The consumer isn't interested in security. He is buying the hairbrush and is checking the app if all is clear. "My SmartTV is DDoSing a bank in Mexico?" -> "I don't care, hopefully it recorded the football game last night."

Conclusion:

You need regulations for all that, so you need the state to talk about that. But if you have high regulations, a hairbrush will cost $40 and not $15. IoT is coming in big steps. E-Sim, Smart home -> smart cities, etc.

3 waves

Sorry for the hairbrush I focused on. :D

Helmar
  • 8,450
  • 6
  • 36
  • 84
manuzi1
  • 181
  • 2
3

I don't know why, but it seems that many products are inadequate (security concerning). Many products are messaging outside and I want to know how to control that.

This sounds like a good idea, but how do you expect to gain a 'better' system by adding this monitoring? What can you do better than a typical under-resourced developer working for a product design company? Taking this one step further, given a way to detect malicious activity we'd be developing the product already.

Taking a step back from the problem... Yes, we know that many devices developed today have not been designed to be secure, and there are regular examples of vulnerabilities. Focusing on just the uplink to the cloud will miss lots of potential attack surfaces - and for a large class of attacks on a home, the attacker may value physical access...

I suggest you review your real concerns, and adapt your 'smart' strategy to reduce the risk. The first step in this process is realising that you can never be 'safe', an determined attacker will get physical access and cause damage whatever your countermeasures.

  • Do you care about snooping? Really? Stay off the internet :)
  • Is your heating/lighting data individually interesting?
  • Should you split your service providers, or try and avoid specific companies? Remember they can see most of what you do through meta-data anyway.
  • Do you need to publish video feeds?
  • If you delegate access control, have you got a backup?

For all of these points, you need to assume there will be hacks. Maybe not your smart-home, maybe just your service provider, or your emails, or your bank account. For every 'smart' you add, consider the impact of making the data public - you can't guarantee this won't happen - and decide if you care about the risk, and if you want to mitigate.

If you want to identify products that are likely to stay updated for more than a few months, you need to be asking a different question.

Sean Houlihane
  • 10,524
  • 2
  • 26
  • 62