When it comes to smart home security, cameras are the worst

8 Comments

Credit: Dropcam

Don’t freak out, but the products inside your smart home have some serious security flaws, according to a new report out from enterprise security research firm Synack. The company tested 16 popular devices over the holidays and determined that connected cameras were the least secure. Products ranging from the SmartThings hub to the Nest and Lyric thermostats also had some problems.

Colby Moore, a security research analyst who compiled the report, said it took him about 20 minutes to break into each of the assorted devices and he only found one — the Kidde smoke detector — that didn’t have any significant flaws. But the Kidde isn’t actually connected. Before we break down each device’s big problems, the macro picture from the report was that there are no real standards in the connected home security space, and perhaps we should come up with some.

“Right now the internet of things is like computer security was in the nineties, when everything was new and no one had any security standards or any way to monitor their devices for security,” said Moore.

The Withings Home camera

The Withings Home camera

In general Moore suggests the following as basic best practices, even though he concedes that some users won’t like them:

  • Hardwire as many devices as possible. And when devices are wireless, make sure they have push notifications to the user when they are kicked offline.
  • Firmware updates should happen automatically, especially those dealing with security flaws and vulnerabilities. Don’t wait for the user to push them through.
  • Require strong passwords. Make sure they have combinations of numbers, special characters and letters and are more than 12 characters.
  • Send all the data to the cloud using a secured connection. Don’t store it on the device, which can be hacked.
  • If you are going to use SSL, check certificates at both ends. Apparently, some devices do not.
  • Use SSL pinning so your device is authenticated, as opposed to the network the device is on.

Some of these may be controversial. For example, stronger passwords can be a pain to enter on devices with tiny screens and no keyboards. Another issue is hardwiring everything. Wireless devices are simply more convenient and wireless connectivity is often a reason people buy a certain product over another. Finally, storing all of your data in the cloud might be more secure, but it’s only as secure as your cloud vendor. If the vendor get hacked, there go your data and your camera images.

Moore concedes these points, but says that even understanding these tradeoffs would help. I agree. It’s one thing to trust my camera data to Nest or Amazon, but another to trust it to a startup that just launched three months ago (although it’s highly likely that its cloud back-end is Amazon Web Services). So what about the specific devices?

Synack looked at four classes: cameras, thermostats, smart hubs and smoke detectors. It found the most flaws in the camera class, with Dropcam being the most secure.
camerassynack

In thermostats, Nest once again was the most secure, but most were dinged for their password policies. This is understandable, because most thermostats don’t have keyboards, making it tough to enter a password on the device itself.

thermostastssynack

When it comes to smoke detectors we see Kidde, the only device that got a perfect score from a security perspective, in part because it’s not connected. Why it’s on this report, I don’t know. There’s also the first mention of a supply chain–based attack, which is worth noting, because it means that someone would have to intercept the device and change a component. This isn’t specific to just smoke detectors, but any connected product. I thought this was tenuous, but Moore pointed out that we could see more of it in the future and that it really just took a bit more long-range planning. It could also be seen more in returned or second-hand devices.

co2synack

Finally we see his results from testing home automation hubs. While the Revolv isn’t sold anymore because Nest purchased the company for the engineers, the others are on the market.

hubsynack

While this report covers the devices themselves, I’d like more insight into how we secure the future, when we start linking these devices together. I tie many services together via Works with Nest, If This Then That and many other services, and suspect others will soon do the same. And while individual devices may get more secure, once they start sharing data between clouds, that introduces new weaknesses that this report doesn’t even get into. When asked about security in the smart home today, Moore said, “Security is abysmal.”

So, let’s work on that, but let’s think about how we’re planning for tomorrow, too.

Updated: This story was updated at 3:06pm PT to clarify that the Kidde smoke detector isn’t connected.

8 Comments

bullcrap

Had to laugh at “hardwire them”. WTF does that do for reducing hacking? nothing. Also had to laugh at recommendation to store camera data in the cloud… Because that is safer than on a local secured nas.

gordo

I can’t wait for my refrigerator to tell me “Please choose a password with at least blah blah blah” or “You can’t use a previously used password” Or “To ensure your privacy, please tell us a secret that nobody else knows like the name of your first pet”..

noname

These are not real home security products. Real home security devices require an installer to wire the home -yes with actual camera wiring and sensors. The things mentioned in this article are home automation products, so a different level of expectation should apply to what they cost and what they can be expected to do. If you use a Dropcam for security, well, I don’t want to sling insults, but that’s just buying a brand name box off a shelf rather than buying something that is designed to work first, which comes in a plain box, from a brand nobody has ever heard of outside security installers.

In any case, the article misses the point that anyone with physical access to your network is already inside your line of defense, in which case you can’t assume any security remains. So if somebody is on your wifi network hacking your camera, the bigger concern is what else are they doing on your network? Video pics pale into nothing compared to data they could be stealing.

I do run wifi cameras in my home. They have their own wifi network (actually more than one; cameras use a lot of bandwidth) and feed to a server in my home which emails pictures or video to me. None of cameras touch the internet directly. None of them are on a wifi network that anybody in my home uses. Not that I let people use my wifi but even if I did, the cameras are not there.

Scott

“Colby Moore, a security research analyst who compiled the report, said it took him about 20 minutes to break into each of the assorted devices”

Sounds like showing off to me. What did he do to “break into each of the assorted devices”? Used a screw driver?

By the measures he uses, smart home devices aren’t any more insecure than many of the other webservices you use, or your home computer.

M

Is there any proof of actual hacks? A best practices report card is not evidence of a vulnerability

Martin T Focazio (@mfocazio)

Very nicely done, and validates why the whole IOT universe is not allowed in my home. It’s a playground for script kiddies and malware authors and the grossly negligent coding practices of most of these vendors is shameful.

x.o.ware, inc.

These devices are designed to be insecure. Worse, some of them can’t even be accessed from the LAN, they have to go through the manufacturer’s server, which creates yet another vulnerability. Manufacturers say they do this to make it easy for the user, but it’s not necessary. The real reason is they want to generate additional revenue from their servers that their devices must connect to.

Comments are closed.