My neighbor called yesterday; he wanted help connecting a brand-new, high-tech, high-security door lock to his Wi-Fi network. I let that sink in for a few seconds; eventually curiosity got the best of me, and I said I'd be right over. After a bit, I realized the Wi-Fi enabled lock did not like WPA2 -- the current best-practice security protocol for Wi-Fi networks.
A call to the lock’s help desk confirmed my suspicion. My neighbor then quietly explained how he employed considerable tact in persuading other family members of the necessity for a wireless lock. The apprehensive look on his face suddenly changed to one of relieved calm. Hanging up the phone, he announced, “No problem, we can switch the network to use WEP, the guy at the help desk said it’s good enough.”
Remembering how hard it was for me to get my neighbor to use WPA2 encryption in the first place, I launched into a technical tirade, pointing out how lame an idea that was. The next day, my neighbor called mentioning how infinitely cool it was to unlock and lock his house's front door while shopping at the Mall of America. Guy code I easily interpreted: his continued mental well-being trumped my security concerns.
The Wi-Fi lock episode reminded me digital security is no longer just in the realm of IT -- it's spreading to every facet of our lives. My curiosity heightened, I started looking at what other non-computing devices were able to connect to home networks, and more importantly, gain internet access. The number of devices shocked me, Wi-Fi thermostats, Wi-Fi security cameras, Wi-Fi smart TV's (more on this later), and my favorite, the WebCam. Imagine sipping a luscious-tasting Mai-Tai on Waikiki Beach, when your partner mentions they hope the neighbor remembered to water the plants. Not a problem, check how the plants are doing using this Wi-Fi enabled robotic WebCam. And, you already know you can check to make sure the neighbor locked the door.
Now to the internet-connected smart TV, and what seems a bit creepy. Verizon now owns a patent on Methods and Systems for Presenting an Advertisement Associated with an Ambient Action of a User. The idea is for the TV to watch and listen to the people within range, punch information of interest into a fancy program, which then figures out what might be the best ad to put on the screen, and the TV displays the specified ad during commercial breaks.
I can just imagine: the smart TV hears a baby crying, guess what kind of ads you will be seeing. Having an argument with your spouse? Don't be surprised if an advert for the closest marriage counselor pops up on the screen.
I happened to mention this to my lock-aficionado neighbor; he didn't see a problem, "It's better than watching some stupid commercial that doesn't interest me." Honestly, I expected that reply, and why the targeted-advertising debate is a can of worms.
All kidding aside, I see the benefits and convenience of having more home-related devices connected to the internet. It never fails, the time I can't remember locking the front door is when I'm nowhere near home. But, I also see the proliferation of internet-connected devices as a massive increase in targets of opportunity for the bad guys.
I'm not the only one. A group of researchers at University of Washington, Seattle have done extensive research on Computer Security and the Modern Home (courtesy of ACM):
The capabilities of new electronics and their presence in the home facilitate traditional crimes and allow new classes of attacks.
Technically savvy burglars, may use technology both to identify houses with expensive, easily resold items, and to better plan and execute their crimes. Adversaries can also target technologies with a wide range of new capabilities, with the goal of accessing video and audio feeds, unlocking doors or disabling home security, tampering with home healthcare devices, or interfering with home appliances and utilities.
The article is a treasure-trove of information, but long. What I'd like to do is discuss a few of the more important concepts put forward by the research team. To begin, the researchers determined what challenges were unique to the home front:
- An extremely personal, asset-filled environment.
- Requires extensive knowledge to administer heterogeneous collection of consumer technologies.
- Technologies that are cyber-physical and sensor-rich.
Next, the team addressed ways in which features of the now internet-connected devices can be used to facilitate criminal activities not possible with normal computing equipment:
- Determine the locations of lucrative home burglary targets via camera feeds, or the distinctive signatures of multiple, expensive devices.
- Provide access to homes using networked locks that are vulnerable to electronic compromise.
- Check whether or not a home is occupied (and by whom) via: cameras; microphones; motion sensors; logs for lights, thermostats, and door locks; or HVAC air pressure sensors.
The next area of study by the researchers interested me the most. How are the bad guys going to gain access, and exploit vulnerable home-networked devices:
- Electronically: A device on the home network might be compromised by a direct attack from a device external to the home, or compromised by an infected device within the home (whether stationary, mobile, or belonging to a guest).
- Physically: A device might be infected by a manual interface such as USB or CD. Alternative physical attack vectors include: receiving an infected device as a gift; purchasing a used, compromised device from a source such as eBay or Craigslist; purchasing a "new" device that has previously been purchased, infected, then returned; or purchasing a device that was infected during its manufacture.
- Social engineering: A user could be tricked into installing malware, such as via app stores. An adversary could also take advantage of the increasing number of consumers who jailbreak their devices removing telco-provided security measures, and most likely disable the ability to get software updates.
The second bullet caught me by surprise. If the dark side leverages the second-hand market, a significant and thriving business model (eBay and Craig's List, for example) could be in jeopardy.
The University of Washington research team concluded with a warning:
[T]here is currently a lack of unified vision for evaluating security threats posed by the assortment of consumer devices within the home. There are trade-offs in the design of any security system, but without a cohesive strategy for reasoning about home device security, product manufacturers will be left to determine the appropriate trade-offs for themselves without best-practice references.
My neighbor's bulletproof, high security internet-connected lock is an interesting bit of irony, made using generations of locksmith knowledge to be physically secure, yet all that is for naught if it's digitally insecure.
I want to thank my well-natured neighbor for allowing me to use the door-lock example. I would also like to thank the research team of Tamara Denning, Tadayoshi Kohno, Henry M. Levy, and the Association of Computing Machinery for the enlightening article, and allowing me to use quotes from the article.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.