Fridge raiders: Will 2014 REALLY be the year your Smart Home gets hacked?

 At this year’s Consumer Electronics Show, one thing was clear – smartphones have had their chips, at least when it comes to getting people interested.

 The app is king – and more importantly, the appcessory – fridges, lights, appliances and gadgets built for app control were everywhere. But with companies unveiling door locks controlled via app, should we applaud – or worry?

Tony Fadell – whose Nest was bought by Google for $3.2 billion, told MIT Technology Review two years ago, “Home automation is for single geeky guys. It’s not for families.”

This year’s show, and Nest’s valuation, demonstrated how much that has changed – with companies such as Zonoff building a 2000-square-foot ‘home’ on the show floor, all automated, and all wireless.

But the one thing about single geeky guys is that they tend to be a little more security-savvy than most – and much of the technology on show was clearly aimed at families, young and old, rather than early adopters.

With the FTC already having issued warnings to ‘intelligent’ device makers, such as baby monitors, over poor security after a hacker spied on and insulted a toddler via the net (reported by We Live Security here) – are we just providing hackers a new ‘way in’?

Various security experts queued up to yell, ‘Yes’ – the normally sober BBC warned, “In the future, it might not just be your smartphone that leaks personal and private data, it might be your smart fridge too.”

But ESET Senior Research Fellow David Harley says it may be too early to sound the alarm – cybercriminals being much more interested in the contents of your wallet than what is in your fridge.

“It may be a little early to worry too much about what your fridge or your medicine cupboard is able to reveal to a hacker about your eating habits and the state of your health,” Harley says. “After all, there are all too many more direct ways for retailers, insurance companies, and pharmaceutical companies to get that sort of information. (And those are issues more people should be worried about.)”

Interoperability was key to this year’s crop of gadgets, according to The Next Web‘s roundup. Smart home systems have have to work as one – otherwise they won’t sell. Previous systems worked perfectly – if everything in your home came from one manufacturer – or if you bought an expensive system from manufacturers such as Crestron, which had to be installed by professionals.

This year, though, ‘middlemen’ have stepped in, such as Staples, which offers a $99 hub to connect to a router – and controls thermostats, lights and security systems. Many manufacturers hope users will control their entire homes with one app – including perhaps the most important part, the lock, with a Bluetooth-enabled door lock from start-up Goji.

Mike Harris, Zonoff’s CEO, which built a replica ‘smart home’ to show off its technology, said, “Other companies have traditionally depended upon a dedicated home automation controller box. Essentially, we have separated the control software from the radios – consumers can use their existing WiFi network to add any home automation device in any location.”

But the real concern may not be hackers looking to spy into fridges – it may be privacy, and the ownership of data generated by homes where everything is connected.

“It’s not too early for legislators to be thinking about how applicable current privacy and data protection legislation is to the burgeoning Internet of Things,” ESET’s Harley says. “In (most of) Europe, at any rate, even how often and when you use your vacuum cleaner can be considered personal data.”

“I doubt if much of the data that is meant to be returned to the vendor from most smart devices at the moment poses a significant threat in an age where more people (especially younger people) seem quite blasé about sharing a certain amount of personal information. However, increasing connectivity in unexpected devices certainly raises  worries about the risk of additional and undocumented data gathering functionality added at any point in the supply chain.”

Hacking smart home systems is possible – a Forbes article last year showed off how a hacker could ‘haunt’ a smart home – saying to a complete stranger, “I can see all of the devices in your home and I think I can control them,” before flipping lights on and off.

Many companies imagine Smart TVs to be the ‘hub’ of such connected homes, with controls on screen – but security concerns have already been raised over such devices, as reported by We Live Security here.

Security researchers have already shown that it is possible to access, for instance, the webcam in a web-connected television – prompting Samsung to issue a warning saying that families could consider covering the cameras when not in use.

LG admitted last year that models of its Smart TVs had collected information without consent. In a statement released by LG and reported by security expert Graham Cluley, the company said, “Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.”

When a hacker accessed a baby monitor last year to insult a toddler in bed, the Federal Trade Commission said that it would continue to monitor such technologies.

The FTC said in a statement, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the “Internet of Things”.

“The Internet of Things holds great promise for innovative consumer products and services.  But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.

Earlier this year, researcher Nitesh Dhanjani demonstrated an attack on a popular “connected” lighting system sold in Apple Store, the Philips Hue, which could be hacked to cause a “perpetual blackout” in the homes of users, reported by We Live Security here.

“By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development,”Dhanjani said “Our society is starting to increasingly depend upon IoT devices to promote automation and increase our well being.”

What is certain, though, is that the demand is there, according to Clare Newsome, group marketing manager for electronics distributor Computers Unlimited.

“The rise of the ‘appcessory’ – devices controlled by app software on your smartphone and tablet – is transforming the world of home automation, bringing the smart home dream within reach of every home,” she says. “ Such sophisticated lighting systems used to cost many thousands of pounds and take an expert to install; the Philips Hue starter kit costs under $300, and you can be up and running in minutes.”

Author Rob Waugh, We Live Security

  • Madison McClure

    This Internet of Things also extends to merchants as well. Just as home owners are trending towards owning more internet connected appliances in the house, merchants are will make the same shift (albeit more slowly), especially in restaurants, C-stores, and entertainment based industries. The smarter our homes get, the higher the expectations we have for services outside the homestead.

    As such, I predict we’ll be seeing some similar attacks on merchants over the next few years. Merchants will learn the hard way that even segments of their business network that don’t contain customer/cardholder data are prone to invasion. Granted, these risks will probably be outweighed by the increase in repeat customers for businesses that successfully/cleverly adopt new smart appliances. Merchants and home owners alike will have to go through a learning phase before they effectively protect their networks (on an aggregate level) Who knows what bizarre intrusions we’ll see during those few years!

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
15 Jan 2014
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.