Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Corey

CSSS Research Paper

advertisement 
Running head: THE INSECURITIES OF HOME AUTOMATION DEVICES
The Insecurities of Home Automation Devices
Webster University
CSSS 5000
1
THE INSECURITIES OF HOME AUTOMATION DEVICES
2
Abstract
Since the inception of 802.11 in the 1980s, wireless technology has become an essential part of
everyday life. This technology evolved to what now has become the interconnectivity of all
devices, also called the “Internet of Things” (IoT) (Morgan, 2014). The concept behind an IoT is
the ability to control and monitor everyday activities via the web. Retailers, such as BestBuy and
Newegg, are selling these devices categorized under “home automation.” These devices include
a mix of devices ranging from IP (Internet Protocol) cameras, thermostat controllers, Wi-Fi
enabled outlets/lights, water/flood sensors, smart doorbells, smart smoke detectors, and smart
door locks. The results have been very profitable as consumers are buying into home automation
market, which is expected to produce about $78.27 billion by 2022 (Rohan, 2016). There is one
significant issue with this new technology, which is a lack of security. In 2015, the Federal
Bureau of Investigation (FBI) released a statement that declared “since the conception of IoT, we
have seen several incidents that involved attacks on home systems and devices” (FBI, 2015).
This statement should be alarming to consumers, as they are often unaware of the threats they
face by using Wi-Fi capable devices. Despite the security risks facing an IoT in home
automation, there are no signs of it slowing down. In response, tech blogs and cyber security
specialists have published a plethora of online tutorials on how-to secure your home network and
associated devices. These tutorials create a small layer of protection however, there are still
significant risks associated with using web-enabled home automation devices.
THE INSECURITIES OF HOME AUTOMATION DEVICES
3
Let's start off by saying that consumers should limit their use of home automation
devices. The list of reasons range from potential security vulnerabilities, both hardware and
software, that pose a risk to a healthy internet, as well as personal privacy. In 2016, The New
York Times published an article that described a new weapon used by hackers to conduct cyberattacks (Perlroth, 2016). Surprisingly, the new weapon was the same as a web-enabled device
purchased at any tech store. Hackers have used these devices to execute distributed denial-ofservice (DDoS) to attack several popular websites, such as Twitter, Netflix, Spotify, Airbnb,
Reddit, Etsy, Sound Cloud, and The New York Times (Perlroth, 2016). To understand and
effectively combat this new threat against the consumer and their web-enabled devices, it is
imperative to know the concept of an IoT. Secondly, it is essential for consumers to understand
the risks associated with the devices they are using. Some of these common, yet potentially
harmful devices, including IP cameras, thermostat devices, smart door locks, and home routers.
Protecting devices require user action. It is critical to take concrete steps to mitigate the risks
associated with specific devices. If the consumer is unable to perform these steps, limiting the
use of web-enabled devices entirely should be considered.
What is IoT?
“The IoT is a paradigm that is rapidly growing in the scenario of modern wireless
communications” (Atzori, Iera, & Morabito, 2009). The basic idea behind an IoT is an
interconnected world of electronic devices that can converse with one another across the Internet
using an IP address – this can be an IPv4 or IPv6 address. An example is on a home network, if
an IP camera is connected to a router via wireless or hard wired connection, and is inherently
assigned an IP address, that device is now considered a part of the IoT. The IoT is currently
THE INSECURITIES OF HOME AUTOMATION DEVICES
4
expanding in an overabundance of outlets including businesses, agriculture, energy,
transportation, medical, and consumer markets (Rouse, 2016). Devices are being designed and
programmed to automate, monitor, or capture data that was once manually accomplished. Figure
1 displays the breakdown of IoT and the complexity of interconnectivity between the various IoT
markets.
Figure 1. This chart shows the different sectors of the IoT infrastructure. Specifically, the
consumer & home sector of the graph outlines some of the devices that interconnect with
IoT. These devices include Network Access/Management, Security Alerts, and Home
Automation Devices (Farnsworth, 2015).
The IoT is what some consider the post-PC era (Gubbi, Buyya, Marusic, & Palaniswami,
2016). In this new era, smartphones and handheld devices outnumber desktop computers and
THE INSECURITIES OF HOME AUTOMATION DEVICES
5
laptops. These devices are more consumer friendly, and they support applications that enable
them to become portable smart devices. Smart devices have the capacity to connect to several
web-enabled devices where they can control or monitor them at any given time (Gubbi, Buyya,
Marusic, & Palaniswami, 2016). An example includes using an iPhone to operate an application
that controls the locking mechanism to the doors of a home. Another example is using a tablet to
control a thermostat in a home. Smart devices hold the potential of directing and monitoring
every aspect of a home; however IP space is a major concern for the future as more devices
continue to hit the market.
In 2012, Cisco estimated that there were approximately 8.7 billion devices connected to
the internet. Currently, there are an estimated 30.7 billion devices. This number has almost
quadrupled in four years (Lucer, 2016). Unfortunately, this poses an issue for the future of IoT.
Currently, many organizations strictly utilize IPv4, or Internet Protocol version 4 addresses. IP
addresses are assigned to a Media Access Control (MAC) address of a physical device’s
Network Interface Card (NIC). Depending on the year the device’s card was made, the NIC may
only support an old IPv4 address. The downside to an IPv4 only infrastructure is that it only
supports a 32-bit address. As a result, an IPv4 can only support 4.29 billion IP addresses at one
time (Parr, 2011). In response to this problem, IPv6 addresses were developed. IPv6 addresses
are a 128-bit that can support 2^128 internet addresses, which equates to approximately 340
undecillion addresses (Parr, 2011). The number of available IP addresses is crucial for the future
of IoT because the number of web-connected devices is expected to reach 75.4 billion in 2025
(Lucer, 2016).
THE INSECURITIES OF HOME AUTOMATION DEVICES
6
The demand for these devices is one of the many factors contributing to the growth of
IoT devices. The problem for consumers is that the industries who are making these products are
not necessarily concerned about their security. In 2016, the Broadband Internet Technical
Advisory Group (BITAG) released a report titled the IoT: Security and Privacy
Recommendations. In this report, they identified that there is currently a lack of security and
privacy practices in the IoT consumer market (BITAG, 2016). Consumer product development
suffers from several issues. These include lack of IoT supply chain experience concerning
security and confidentiality, a lack of incentives to develop and release updates after the initial
sale, and difficulty of security over the network upgrades. Additional problems include devices
with limited security hardware, devices with constrained or limited user interfaces, and devices
with malware inserted during the manufacturing process (BITAG, 2016). Every issue poses a
new threat to consumers who are largely unaware that their devices have significant
vulnerabilities.
The first problem with IoT development is the industry’s lack of security and privacy
practices and regulations when developing new products. The fact is there are no security
regulations or standards for a company who produces such devices. Companies look for the
cheapest, most practical components across a multi-national supply chain. Secondly, there is no
incentive for a company to develop security updates after the initial release of a product. IoT
devices are evolving at a fast pace which makes it difficult for a company to maintain product
lines. It is also challenging for businesses to ensure security with over-the-network updates. By
patching devices via the internet, they become susceptible to hijacking or malicious code. Some
cheaply made devices have limited interface capabilities. The interface is what enables a
consumer to manage the device and install firmware or software updates. The last issue is
THE INSECURITIES OF HOME AUTOMATION DEVICES
7
devices that have malware installed during the manufacturing process. An example is as recent
as November 2016, when nearly three million Android phones came with a pre-installed code.
When executed, hackers gained full control of the device (Goodin, 2016). Consumers need to be
aware that devices, especially those devices created by small third-party companies, are likely to
be plagued with low quality, insecure components.
Some IoT devices commonly used as home automation gadgets, which include IP
cameras, thermostat controllers, smart door locks, and routers. These devices can simplify human
interactions around the home by providing the capability of controlling or monitoring what is
going on in other parts of the home without being physically present. One is also not charged
with the responsibility of having to remember to carry around a key because the door lock is
digitized. These devices are prone to several different types of backdoor cyber-attacks. Some of
the more sophisticated attacks are malware botnets which enable hackers to gain control of the
devices via malicious code. Other attacks can be as simple as brute forcing or cracking
usernames and passwords to accounts. Either way, every device used around a home has
vulnerabilities associated with them.
Threats against IP cameras.
IP cameras are the most invasive exploits a hacker can obtain if they were to gain control.
It is invasive because once a camera is accessed either via malware or brute force attack, the
hacker can watch whatever the camera is monitoring. In 2014, Network World reported that a site
exposed nearly 73,011 unsecured security camera locations in 256 countries. The cameras,
manufactured by the company TRENDnet, were designed with a feature that enabled them for
public viewing unless the user checked a box to remove the setting. Unfortunately for
THE INSECURITIES OF HOME AUTOMATION DEVICES
8
consumers, the general configuration was a default setting. Since most users failed to configure
their devices, the site gained easy access to the camera by using default manufacturer username
and passwords. Thus, TRENDnet received criticism for failing to recognize this as an apparent
security flaw.
Another, more recent example, occurred in November of 2016. The SEC Consult, a
renowned IT security, and consultation firm, exposed The Sony Entertainment Company when
reporting that there was a critical flaw in 80 of their SNC series IP cameras (Amir, 2016). The
flaw exploited the cameras by enabling them to have backdoor accounts. An additional discovery
identified that there is a CGI binary configuration that permits remote users to send a specially
designed HTTP request that enables the Telnet service. Once Telnet is enabled, the hacker can
login using default manufacturer username and password, unless the defaults change in the
device settings (Amir, 2016). Now that the hacker can gain full control of a device, they can spy
disrupt or manipulate the video. Hackers can also corrupt the network that contains the targeted
camera.
Threats against Wi-Fi thermostat devices.
Aside from the potentially invasive threats of IP cameras newer technology, such as the
Wi-Fi enabled thermostat devices, are also bringing new threats to consumers. In August of
2016, a news agency reported that white hat hackers showed off the first-ever ransomware that
works against web-enabled thermostats (Lorenzo, 2016). The white hat hackers have no intention
of releasing the code. Their intention was to make the point that IoT devices fail to take simple
security precautions. The thermostats run largely on a Linux operating system, and they have an
SD card that allows users to load custom settings and wallpaper (Lorenzo, 2016). Hackers could
THE INSECURITIES OF HOME AUTOMATION DEVICES
9
release wallpaper for those devices that had malicious code hidden in them – this is called
stenography in the cyber community. The Linux operating system does not check the files loaded
into the SD card slot, and instead executes the code autonomously. The security loophole would
give hackers full control of a home's thermostat system, as well as any other functionality the
thermostat may have.
An independent Black Hat research team at the University of Central Florida release a
report about the NEST thermostat devices. In the report, they discovered that the complexity of
the NEST infrastructure provided a breeding ground for vulnerabilities (Hernandez, Arias,
Buentello, & Jin, 2014). They explain that while NEST has taken some steps to mitigate
vulnerabilities, there are ways of gaining access to the device. Again, the devices were
susceptible to loading malicious code via a USB stick. The problem with smart thermostat
devices is that they lack the hardware to detect malicious firmware.
Threats against smart locks.
A presentation at a Def Con Hacking Conference identified that some smart locks can be
hacked for under $100 (Rose & Ramsey, 2016). This alarming to consumers who rely on these
locks to secure their homes and valuables. The smart lock devices rely primarily on a Bluetooth
low-energy emitting signal or BLE for short. BLE technology is used by several companies
including iBluLock, Quicklock, Noke, and Master Lock (Rose & Ramsey, 2016). It operates at
the same frequency of a standard home wifi network, which is 2.4 GHz. Hacks are achieved by
using devices that are programmed to discover these locks emitting a BLE signal. The scanners
lock onto the locks physical address where it then emits a signal that unlocks the door. This hack
is commonly referred to as wardriving. Wardriving is the act of scanning for wireless networks
THE INSECURITIES OF HOME AUTOMATION DEVICES
10
in a moving vehicle using a computer or smart device. Anthony Rose, the presenter of this
presentation at Def Con, reported that out of twelve companies they contacted to report these
vulnerabilities, only one responded that they are looking for a fix (Rose & Ramsey, 2016).
Threats against home routers.
Routers are the tier two connection that enables home users to connect devices to the IoT.
The problem facing the consumer market is that routers are compromised without the owner's
knowledge. In 2016 PC World published an article on a security flaw found in several of Netgear
routers. Netgear is one of the leading retailers of home network solutions. Netgear responded to
the reports and discovered that almost every single one of their 2016 product line has this
vulnerability. The vulnerability was reported by a cybersecurity researcher who goes by the
name Acew0rm (Constantin, 2016). Acew0rm stated the following, “The issue stems from
improper input sanitization in a form in the router’s web-based management interface and allows
the injection and execution of arbitrary shell commands on an affected device.” (Constantin,
2016). With the ability to conduct shell commands give hackers complete access to the router.
That is a major concern for consumers because once a hacker controls a router they can access,
manipulate, and destroy any other device connected to the network.
Another major concern for home routers is their use in botnet-based attacks. The concept
of the botnet as defined by Kaspersky, a renowned cyber security company, as an interconnected
network of computers and devices that are infected with malware without the user’s knowledge
(Kaspersky, 2016). Figure 2 illustrates how malware enables hackers to transmit viruses, spam
emails, or conduct various cyber crimes. Some of the more complex botnet attacks include the
Mirai-Botnet attacks. The concept behind the Mirai-Botnet is that it infects routers and any
THE INSECURITIES OF HOME AUTOMATION DEVICES
11
device connected to the IoT. The botnet uses those devices as robots, and under the hackers
control they can flood websites, and virtually anything that connects to the internet with requests
(Cimpanu, 2016). They use the Mirai-Botnet to conduct these attacks, which are called DDoS.
Botnets effectively turn home routers into weapons of destruction.
Figure 2. Botnet depiction from attacker to victim. This chart displays a visual
representation of how a botnet attack works to conduct DDoS attacks on target systems
(Anonomyous, 2016).
What can be done to protect a home?
Despite the significant vulnerabilities that plague home automation devices there are
ways for consumers to mitigate risk. However, there is a much greater need for the industry
developing these products to ensure their security as well. Several blogs and tech websites have
outlined several different methods for suppliers and consumers to secure some of the devices.
THE INSECURITIES OF HOME AUTOMATION DEVICES
12
For consumers, these steps include configuring each device connected to their home network.
Each device has different settings and configurations that enable it to become more secure, while
the industry needs to start giving consumers the hardware they need to provide more security.
IP cameras, for instance, need to have default username and passwords changed. BITAG
recommends that users use 12 digit complex passwords (BITAG, 2016). By failing to do this, the
consumer is putting themselves at risk of having their cameras compromised by hackers. BITAG
also recommended developers implement hardware that encrypts the IP traffic in either SSL or
AES (BITAG, 2016). Encrypting would create a secure connection that would enable IP cameras
to use HTTPS rather than unsecured HTTP. As for web-enabled thermostat devices, there is
nothing the consumer can do to prevent an attack. The industry needs to develop a way to
validate firmware before being installed. There is also a need for scanning the SD card to
validate the wallpaper, and other settings that the nest can upload do not contain malicious code.
Next, some smart locks do pose a threat that cannot be mitigated. Sources recommend that if a
consumer wants to invest in a digital lock, they invest in one that has the ability for two-factor
authentication, long 16-20 digit passwords, and proper AES encryption (Rose & Ramsey, 2016).
Lastly, home routers, the backbone of a home’s network, need to have many settings configured
properly provide a layer of security. There are many outlets online that consumers can go to, to
get advice on how to secure their network. A more popular site, PC Mag, recommends
consumers take the following steps to secure their wireless routers: change the password for the
login, update the firmware, enable a specific range of IPs for DHCP, use static IPs, hide a
router's SSID or wireless broadcast capability, and use complex passwords for the router’s wifi
(Pacchiano, 2015).
THE INSECURITIES OF HOME AUTOMATION DEVICES
13
In conclusion, this analysis of home automated devices sheds light on the need for the
industry to focus on security rather than profits. It also displays the need for consumers to be
more aware of the devices they are bringing into their homes. As the amount of IoT-connected
devices increase over the next decade, it becomes more apparent that insecure devices are a
threat to the existence of the internet. That is because botnet attacks such as the Mirai-Bonet are
being implemented by using home automation, as well as the other spectrums of IoT, displayed
in figure 1, to destroy the internet's foundation. Consumers need to be more aware of the
vulnerabilities they face using these products, and take action by limiting the use or configuring
them to be more secure.
THE INSECURITIES OF HOME AUTOMATION DEVICES
14
References
Amir, U. (2016, December 10). Nearly 80 Sony IP Camera Models Plagued with Backdoor
Accounts. Retrieved from Hack Read: https://www.hackread.com/80-sony-ip-cameramodels-plagued-with-backdoor/
Anonomyous. (2016). Malware-infected home routers used to launch DDoS attacks. Retrieved
from Help Security: http://www.helpsec.net/malware-infected-home-routers-used-tolaunch-ddos-attacks
Anonymous. (2015, September 17). FBI Warns Public on Dangers of the Internet of Things.
Retrieved from Trend Micro:
http://www.trendmicro.com/vinfo/us/security/news/internet-of-things/fbi-warns-publicon-dangers-of-the-internet-of-things
Atzori, L., Iera, A., & Morabito, G. (2009). The Internet of Things: A survey. Elsevier, 1-19.
BITAG. (2016). Internet of Things (IoT) Security and Privacy Recommendations. BITAG.
Cimpanu, C. (2016, December). Security Firms Almost Brought Down Massive Mirai Botnet.
Retrieved from Bleeping Computer:
https://www.bleepingcomputer.com/news/security/security-firms-almost-brought-downmassive-mirai-botnet/
Constantin, L. (2016, December 12). Nasty unpatched vulnerability exposes Netgear routers to
easy hacking. Retrieved from PC World:
http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposesnetgear-routers-to-hacking.html
THE INSECURITIES OF HOME AUTOMATION DEVICES
15
Farnsworth, C. B. (2015, February 13). Hacking the Internet of Things. Retrieved from IoT:
http://www.greenbuildermedia.com/internet-of-things/hacking-the-internet-of-things
Goodin, D. (2016). Powerful backdoor/rootkit found preinstalled on 3 million Android phones.
Ars Technica.
Gubbi, J., Buyya, R., Marusic, S., & Palaniswami, M. (2016). Internet of Things (IoT): A Vision,
Architectural Elements, and Future Directions. Australia: The University of Melbourne.
Hernandez, G., Arias, O., Buentello, D., & Jin, Y. (2014). Smart Nest Thermostat: A Smart Spy
in Your Home. University of Central Florida: Security in Silicon Labratory.
Kaspersky. (2016). What is a Botnet Attack? - Definition. Retrieved from Kaspersky:
https://usa.kaspersky.com/internet-security-center/threats/botnetattacks#.WFbZE_krKUk
Lorenzo, F.-B. (2016, August 7). Hackers Make the First-Ever Ransomware for Smart
Thermostats. Retrieved from Motherboard: http://motherboard.vice.com/read/internet-ofthings-ransomware-smart-thermostat
Lucer, S. (2016). IoT platforms: enabling the Internet of Things. IHS Technology, 1-20.
Morgan, J. (2014, May 13). A Simple Explanation Of 'The Internet Of Things'. Retrieved from
Forbes: http://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanationinternet-things-that-anyone-can-understand/#3316af316828
Network World. (2014, November 6). Peeping into 73,000 unsecured security cameras thanks to
default passwords. Retrieved from Network World:
THE INSECURITIES OF HOME AUTOMATION DEVICES
16
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000unsecured-security-cameras-thanks-to-default-passwords.html
Pacchiano, R. V. (2015, November 2). How to Set Up and Configure Your Wireless Router.
Retrieved from PC Mag: http://www.pcmag.com/article2/0,2817,2375207,00.asp
Parr, B. (2011, February 03). IPv4 & IPv6: A Short Guide. Retrieved from Mashable:
http://mashable.com/2011/02/03/ipv4-ipv6-guide/#TnlB4AQCqkqH
Perlroth, N. (2016, October 21). Hackers Used New Weapons to Disrupt Major Websites Across
U.S. Retrieved from New York Times:
http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html?_r=1
Quora. (2013, Jan 7). How Many Things Are Currently Connected To The "Internet of Things"
(IoT)? Retrieved from Forbes: http://www.forbes.com/sites/quora/2013/01/07/how-manythings-are-currently-connected-to-the-internet-of-things-iot/#3b365d976379
Rohan. (2016, April). Home Automation System Market by Product (Lighting Control (Switch,
Occupancy Sensor), Security & Access Control, HVAC Control (Pump & Fan, Control
Valve), Entertainment & Other Controls), Software & Service & Geography - Global
Forecast to 2022. Retrieved from Markets and Markets:
http://www.marketsandmarkets.com/Market-Reports/home-automation-control-systemsmarket-469.html
Rose, A., & Ramsey, B. (2016). Picking Bluetooth Low Energy Locks from a Quarter Mile
Away. Las Vegas: Def Con Hacking Conference.
THE INSECURITIES OF HOME AUTOMATION DEVICES
Rouse, M. (2016). Internet of Things (IoT). Retrieved from Tech Target:
http://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT
17
Related documents
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
Download
advertisement