Security optimize

High-tech home security products: Who are they really helping?

Easy and convenient, wireless home security will keep your home safe. Michael P. Kassner looks at why bad guys might like them as well.

My neighbor called yesterday; he wanted help connecting a brand-new, high-tech, high-security door lock to his Wi-Fi network. I let that sink in for a few seconds; eventually curiosity got the best of me, and I said I'd be right over. After a bit, I realized the Wi-Fi enabled lock did not like WPA2 -- the current best-practice security protocol for Wi-Fi networks.

A call to the lock’s help desk confirmed my suspicion. My neighbor then quietly explained how he employed considerable tact in persuading other family members of the necessity for a wireless lock. The apprehensive look on his face suddenly changed to one of relieved calm. Hanging up the phone, he announced, “No problem, we can switch the network to use WEP, the guy at the help desk said it’s good enough.”

Remembering how hard it was for me to get my neighbor to use WPA2 encryption in the first place, I launched into a technical tirade, pointing out how lame an idea that was. The next day, my neighbor called mentioning how infinitely cool it was to unlock and lock his house's front door while shopping at the Mall of America. Guy code I easily interpreted: his continued mental well-being trumped my security concerns.

The Wi-Fi lock episode reminded me digital security is no longer just in the realm of IT -- it's spreading to every facet of our lives. My curiosity heightened, I started looking at what other non-computing devices were able to connect to home networks, and more importantly, gain internet access. The number of devices shocked me, Wi-Fi thermostats, Wi-Fi security cameras, Wi-Fi smart TV's (more on this later), and my favorite, the WebCam. Imagine sipping a luscious-tasting Mai-Tai on Waikiki Beach, when your partner mentions they hope the neighbor remembered to water the plants. Not a problem, check how the plants are doing using this Wi-Fi enabled robotic WebCam. And, you already know you can check to make sure the neighbor locked the door.

Now to the internet-connected smart TV, and what seems a bit creepy. Verizon now owns a patent on Methods and Systems for Presenting an Advertisement Associated with an Ambient Action of a User. The idea is for the TV to watch and listen to the people within range, punch information of interest into a fancy program, which then figures out what might be the best ad to put on the screen, and the TV displays the specified ad during commercial breaks.

I can just imagine: the smart TV hears a baby crying, guess what kind of ads you will be seeing. Having an argument with your spouse? Don't be surprised if an advert for the closest marriage counselor pops up on the screen.

I happened to mention this to my lock-aficionado neighbor; he didn't see a problem, "It's better than watching some stupid commercial that doesn't interest me." Honestly, I expected that reply, and why the targeted-advertising debate is a can of worms.

All kidding aside, I see the benefits and convenience of having more home-related devices connected to the internet. It never fails, the time I can't remember locking the front door is when I'm nowhere near home. But, I also see the proliferation of internet-connected devices as a massive increase in targets of opportunity for the bad guys.

I'm not the only one. A group of researchers at University of Washington, Seattle have done extensive research on Computer Security and the Modern Home (courtesy of ACM):

The capabilities of new electronics and their presence in the home facilitate traditional crimes and allow new classes of attacks.

For example:

Technically savvy burglars, may use technology both to identify houses with expensive, easily resold items, and to better plan and execute their crimes. Adversaries can also target technologies with a wide range of new capabilities, with the goal of accessing video and audio feeds, unlocking doors or disabling home security, tampering with home healthcare devices, or interfering with home appliances and utilities.

The article is a treasure-trove of information, but long. What I'd like to do is discuss a few of the more important concepts put forward by the research team. To begin, the researchers determined what challenges were unique to the home front:

  • An extremely personal, asset-filled environment.
  • Requires extensive knowledge to administer heterogeneous collection of consumer technologies.
  • Technologies that are cyber-physical and sensor-rich.

Next, the team addressed ways in which features of the now internet-connected devices can be used to facilitate criminal activities not possible with normal computing equipment:

  • Determine the locations of lucrative home burglary targets via camera feeds, or the distinctive signatures of multiple, expensive devices.
  • Provide access to homes using networked locks that are vulnerable to electronic compromise.
  • Check whether or not a home is occupied (and by whom) via: cameras; microphones; motion sensors; logs for lights, thermostats, and door locks; or HVAC air pressure sensors.

The next area of study by the researchers interested me the most. How are the bad guys going to gain access, and exploit vulnerable home-networked devices:

  • Electronically: A device on the home network might be compromised by a direct attack from a device external to the home, or compromised by an infected device within the home (whether stationary, mobile, or belonging to a guest).
  • Physically: A device might be infected by a manual interface such as USB or CD. Alternative physical attack vectors include: receiving an infected device as a gift; purchasing a used, compromised device from a source such as eBay or Craigslist; purchasing a "new" device that has previously been purchased, infected, then returned; or purchasing a device that was infected during its manufacture.
  • Social engineering: A user could be tricked into installing malware, such as via app stores. An adversary could also take advantage of the increasing number of consumers who jailbreak their devices removing telco-provided security measures, and most likely disable the ability to get software updates.

The second bullet caught me by surprise. If the dark side leverages the second-hand market, a significant and thriving business model (eBay and Craig's List, for example) could be in jeopardy.

The University of Washington research team concluded with a warning:

[T]here is currently a lack of unified vision for evaluating security threats posed by the assortment of consumer devices within the home. There are trade-offs in the design of any security system, but without a cohesive strategy for reasoning about home device security, product manufacturers will be left to determine the appropriate trade-offs for themselves without best-practice references.

Final thoughts

My neighbor's bulletproof, high security internet-connected lock is an interesting bit of irony, made using generations of locksmith knowledge to be physically secure, yet all that is for naught if it's digitally insecure.

I want to thank my well-natured neighbor for allowing me to use the door-lock example. I would also like to thank the research team of Tamara Denning, Tadayoshi Kohno, Henry M. Levy, and the Association of Computing Machinery for the enlightening article, and allowing me to use quotes from the article.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

36 comments
dialus
dialus

it is good.This is most safety  of home lock system.Thank you for posting it is useful to peoples.

wizard57m-cnet
wizard57m-cnet

but instead of just taking everything they want, they also reset your passphrase, timers, and whatever else is connected in these so-called "smart homes"? That would just be a "low blow", come back home from vacation (what is this vacation anyway?? LOL) or from a evening out only to find you can't even open your own door, and you've set the alarm off, and the police decide that now is a good time to be on the call? I don't know, just seems a bit too connected for my taste.

snaik95899
snaik95899

I've had my network hacked several times while using WPA2/AES by "foreign" IP's. I've seen several so called "secure home security systems" hacked by the very professionals that installed it.It doesn't matter if things are bolted down figuratively speaking or literally speaking these days. If people want to steal something they will. Quantum computers were supposed to be the latest and greatest things. Even they have tons of loopholes that can be exploited. So far to date no system has been totally, 100% secure. This is one time where low tech definitely is better. So unless you live at the White House,be friendly with your neighbors, and buy a big gun and a big dog.

Slayer_
Slayer_

The house thief isn't going to hack the wireless, they are going to smash the door or window, take what they want and leave.

LionDormant
LionDormant

I know I'm not quite on topic, but this article reminds me of the bio-metric security system at Britain's MI-5, as depicted in the British comedy series "Spy". Tim, a newly hired operative, experiences all manner of inconvenience getting by the retinal scan at the entry point to the secure area, but is never actually thwarted. The scanner announces "Not recognized", so he slips in with someone who is. The scanner announces "Artichokes, 80 pence" - well, who's going to stop an artichoke, right? Perhaps the regular machine is in for repair and they've a loaner from Tesco. Eventually, much to Tim's relief, the scanner announces "Tim Elliot" - but continues to do so for everybody in the queue.

pgit
pgit

"just because we can doesn't mean we should." This stuff is all gimmick, and people jump on it because it's "cool." Witness your neighbor rationalizing away a very real security risk that is totally unnecessary and that he's paying for. If "security" is at all an issue then the last thing you want is to be forced to use WEP on your home wifi network! I saw a list of unsecured web cam urls someone had sniffed out. Thousands of them. You could click the links and voila: someone's garbage cans in the back alley, a view of the crib, a bird feeder with the children's swing set in the background... Who would have predicted that people will enthusiastically shell out for the hardware necessary to construct the "1984" control grid?

jkofinas
jkofinas

Great article. I just wanted to mention do not forget the smarthome technology that exists out there (insteaon, z-wave, zigbee etc). Most of those devices talk to each other but in the end require a gateway for the end user to program them (turn the power off, set timers; lock/unlock home, webcam etc.) So the connected home is becoming more and more complex and unsecure especially when some of the users ignore common sense security for the cool factor.

flhtc
flhtc

Think about it. If you can see into your house, so can they. With the growing ease of finding ways to compromise encryption schemes etc... It would not be too difficult for a somewhat savvy criminal to case houses by IP address. The pick of the litter would be at their finger tips. Not for me. I'll take the caveman security approach. Be friendly with your neighbors, and carry a big stick.

HAL 9000
HAL 9000

Just how much Bandwidth is left for Data Transfer by the Personal Computers used in the house and the Smart TV? That TV uses 2 way Data Transfer to do the things that some consider as an [i]"Improvement"[/i] and I would imagine is fairly intensive on the Bandwidth it requires. Add in all of the other devices and we have a potential Problem with available Bandwidth. Personally I'm not even going to comment on the Security Issues that are raised here they are too numerous and open to even start on without a bulk load of time to question. Col

Michael Kassner
Michael Kassner

That would be as you say a "Low blow." I can just see a geek pulling a prank like that.

HAL 9000
HAL 9000

A family goes on Holidays and returns to find their front fence stolen. Not to be outdone next year they go on holidays again and when they return the front fence is lying on the ground so they think that got back just in time to prevent it's theft. When they look up there is no house. They go to the local police station and report that their house has been stolen only to be told that the same police gave it a Escort 3 weeks ago as it was removed. That is some of the things House Thief's are capable of doing so Breaking WEP Encryption is the easy way in. ;) True story happened to a friend of mine and they didn't live in the sticks with no neighbors they lived in an Old Part of the City that was High Density Housing so the neighborhood was being slowly changed from 1/4 Acre Blocks to flats. No one including the Police asked any questions when a Removals Truck arriver and emptied the house and then a House Mover appeared and started cutting up the house for removal. They actually had the Police Escort them out of the city and it only took 5 weeks after the theft was reported to find out where the house had been moved to. Col

Michael Kassner
Michael Kassner

But, what if a techy bad-guy was able to scout the home prior to unlocking the front door and disabling the security alarm. That would be safer, easier, and allow for more stealing.

Michael Kassner
Michael Kassner

I believe my son watches that show and loves it. I was a consultant on a penetration test of a local business, and watched three people "tailgate" behind three recognized employees -- no wonder security is a billion dollar a year business.

JCitizen
JCitizen

We met "Big Brother" and he was US!! :O

Michael Kassner
Michael Kassner

There isn't a day that goes by where I don't read, see, or hear of an instance where security loses the convenience versus security/privacy battle.

Michael Kassner
Michael Kassner

I did forget about those devices, that is certainly another vector. I wonder if there have been any reported exploits?

Michael Kassner
Michael Kassner

I keep coming up with more and more way that connected devices could be used for nefariousness.

Michael Kassner
Michael Kassner

Unless you have a monster Internet pipe, that bandwidth is typically the issue. My son uses NetFlix and that is usually happy with 2 Mb for itself.

Michael Kassner
Michael Kassner

I can't imagine what I would be thinking. Hiding in plain view is an option. I just would not have the gumption to pull that off.

Slayer_
Slayer_

But, if it did, vs the normal smash and grab. From experience, I can say that the police take an age getting to a house break in, so everything would still be stolen if the crook knows this. If not, then yes it would make things worse. But it is pretty sad that it only supports WEP. WEP shouldn't even be on routers anymore. If you can't convince this neighbor, hack their network and unlock their door during supper time and just walk in and say hi whats for supper?

JCitizen
JCitizen

if a cracker can take over your Mac Air through your smart phone using bluetooth; then it's darn well is possible to do anything not using sufficient encryption. I can't give you a link because the client wants anonymity in this incident. So far only a few people and authorities at Interpol know about this particular case. But with all the news about China getting in everybody's shorts over industrial espionage, it can't be surprising. I've already seen enough on TV about "war driving" to know that even local hoods can comprise you in a heart beat!

HAL 9000
HAL 9000

I was thinking more of the Internal Bandwidth inside the house with all of the different WiFi Devices connected. As things stand now if you have a couple of Computers a Slate/iPad and some Smart Phones using the Internal WiFi you are according to some [b]Experts[/b] exceeding the available bandwidth of the WiFi Network. Add to that a Smart TV which is effectively another computer doing it's own thing and then locks, domestic appliances [i]like my favorite Talking Toaster and Fridge/Freezer,[/i] light & power switches, blinds/window darkeners, security systems and the like and you very quickly not only have a On Line Home but you need more WiFi Bandwidth to run everything without massive lag times. Of course all those WiFi Devices running on poor WiFi Security like WEP is an open invitation to the nasties who want what you have and is an open invitation to them. Particularly as these things are now cheap and a lot are being offered on leases. Things like On Line Security Systems are being pushed very hard at the moment here and they are all WiFi so all Door Locks, Window Locks and Sensors chew up a lot of the available Bandwidth when taken as a whole not individually. They are also advertised to just Plug in and go over your Internet connection with no intrusions to the House Users. You sign up for a 24 Month contract with those places and they effectively give you the hardware as it's no use to anyone else and if you dare cancel or fail to renew the contract at the end of the contract you get massive bills from them because the Security System continues to report back to Mummy on everything that happens. Of course you can always disable it and remove the things but then you have to find something to fill the holes that where made and more importantly what do you now use as a Security System? Col

JCitizen
JCitizen

I once stole a rubber knife toy my Mom wouldn't let me have, and had to hide it all the time knowing full well my Mom would catch me in the crime! I never really got to enjoy "owning" it, and never stole another thing again in my life. Only legitimate ownership gives me any joy from now on! v/

pgit
pgit

I sure don't have it. I stole a tiny, wood block shaped like a truck from kindergarten, it still haunts me. I've not lifted so much as a stick of gum since. Translation: "I'm just plain 'ol no fun." :D

Michael Kassner
Michael Kassner

Is something I could not bear. I would probably stroke out.

JCitizen
JCitizen

where the whole crime scene is demolished! :O I suppose the risk of high jail time is lowered compared to arson; but I got to admit, if you were such a thief and got caught, you could always beg off on the old, "I got the wrong address" defense, and the cops may let you go long enough to make a good escape. I suppose that is a lot of work most crooks would rather avoid - otherwise they'd simply get a job! HA! :D

HAL 9000
HAL 9000

I remember several years ago driving into work one day and knowing that something was different but not able to identify what it was. A large commercial building had been demolished overnight and that was what was missing/wrong. To most people something that big disappearing overnight is just impossible to comprehend. I suppose the same applies to stealing a house it's not common so it's hard to believe that it has happened when it does. Col

Michael Kassner
Michael Kassner

I have been called "no fun" by a lot of people, I think that's ok, I seem to remember time of too much fun, and the price afterwards.

pgit
pgit

"I'm just plain 'ol no fun" :) I know what I'd do, I'd invite my neighbor over, put a beer in his hand, sit him down next to my computer and show him what I can find out about his 'secure' home over that WEP wifi. "Just so you're aware, Dave, looky here..."

Michael Kassner
Michael Kassner

I prefer to keep my neighbor as a friend, he knows how to fix things that I am entirely clueless about.

JCitizen
JCitizen

On one hand - script kiddies get easily bored and wifi "un-security" gives them a big war driving target; on the other hand, this can also be a breeding ground for smarter criminals who might take a que from the "successful" cracker community, and see bigger bucks for less risk. I can see a market similar to selling exploit kits, on a smaller scale, where smarter criminals sell to dumb butts, the tools to reduce risk in their criminal pursuits. Maybe I'm over-estimating the typical criminal mind though. Slayer has a point about the smash and grab - but that kind of criminal gets caught on camera and arrested within days. I see that played over and over again on cable programs.

pgit
pgit

I thought about that, too; break their WEP and do something like reset passwords, disable WEP (thus the door lock) or some other mayhem. It would be "unethical" in normal circumstances, but in your case, it'd be both research and journalism. From the sounds of it your neighbor would be a good sport about it.

Michael Kassner
Michael Kassner

What works for one person, should work for the next.

Michael Kassner
Michael Kassner

I guess it would matter how packet priority was setup on the controller. Obviously real-time devices like phones and video would need a higher priority than the refrigerator when it needs to phone home with the new grocery list.