When it comes to smart home security, cameras are the worst

Don’t freak out, but the products inside your smart home have some serious security flaws, according to a new report out from enterprise security research firm Synack. The company tested 16 popular devices over the holidays and determined that connected cameras were the least secure. Products ranging from the SmartThings hub to the Nest and Lyric thermostats also had some problems.

Colby Moore, a security research analyst who compiled the report, said it took him about 20 minutes to break into each of the assorted devices and he only found one — the Kidde smoke detector — that didn’t have any significant flaws. But the Kidde isn’t actually connected. Before we break down each device’s big problems, the macro picture from the report was that there are no real standards in the connected home security space, and perhaps we should come up with some.

“Right now the internet of things is like computer security was in the nineties, when everything was new and no one had any security standards or any way to monitor their devices for security,” said Moore.

The Withings Home camera
The Withings Home camera

In general Moore suggests the following as basic best practices, even though he concedes that some users won’t like them:

  • Hardwire as many devices as possible. And when devices are wireless, make sure they have push notifications to the user when they are kicked offline.
  • Firmware updates should happen automatically, especially those dealing with security flaws and vulnerabilities. Don’t wait for the user to push them through.
  • Require strong passwords. Make sure they have combinations of numbers, special characters and letters and are more than 12 characters.
  • Send all the data to the cloud using a secured connection. Don’t store it on the device, which can be hacked.
  • If you are going to use SSL, check certificates at both ends. Apparently, some devices do not.
  • Use SSL pinning so your device is authenticated, as opposed to the network the device is on.

Some of these may be controversial. For example, stronger passwords can be a pain to enter on devices with tiny screens and no keyboards. Another issue is hardwiring everything. Wireless devices are simply more convenient and wireless connectivity is often a reason people buy a certain product over another. Finally, storing all of your data in the cloud might be more secure, but it’s only as secure as your cloud vendor. If the vendor get hacked, there go your data and your camera images.

Moore concedes these points, but says that even understanding these tradeoffs would help. I agree. It’s one thing to trust my camera data to Nest or Amazon, but another to trust it to a startup that just launched three months ago (although it’s highly likely that its cloud back-end is Amazon Web Services). So what about the specific devices?

Synack looked at four classes: cameras, thermostats, smart hubs and smoke detectors. It found the most flaws in the camera class, with Dropcam being the most secure.
camerassynack

In thermostats, Nest once again was the most secure, but most were dinged for their password policies. This is understandable, because most thermostats don’t have keyboards, making it tough to enter a password on the device itself.

thermostastssynack

When it comes to smoke detectors we see Kidde, the only device that got a perfect score from a security perspective, in part because it’s not connected. Why it’s on this report, I don’t know. There’s also the first mention of a supply chain–based attack, which is worth noting, because it means that someone would have to intercept the device and change a component. This isn’t specific to just smoke detectors, but any connected product. I thought this was tenuous, but Moore pointed out that we could see more of it in the future and that it really just took a bit more long-range planning. It could also be seen more in returned or second-hand devices.

co2synack

Finally we see his results from testing home automation hubs. While the Revolv isn’t sold anymore because Nest purchased the company for the engineers, the others are on the market.

hubsynack

While this report covers the devices themselves, I’d like more insight into how we secure the future, when we start linking these devices together. I tie many services together via Works with Nest, If This Then That and many other services, and suspect others will soon do the same. And while individual devices may get more secure, once they start sharing data between clouds, that introduces new weaknesses that this report doesn’t even get into. When asked about security in the smart home today, Moore said, “Security is abysmal.”

So, let’s work on that, but let’s think about how we’re planning for tomorrow, too.

Updated: This story was updated at 3:06pm PT to clarify that the Kidde smoke detector isn’t connected.