Flaws in Smart Home Security Devices
Homeowners are purchasing smart home products at a record pace. Nearly 30 million smart home devices will be sold in 2019, according to the Consumer Technology Association, a 23 percent increase from last year. But a recent study says some devices may not be secure.
Researchers at North Carolina State University have identified design flaws in “smart home” Internet-of-Things devices that allow third parties to prevent devices from sharing information. The flaws can be used to prevent security systems from signaling that there has been a break-in or uploading video of intruders.
“IoT devices are becoming increasingly common, and there’s an expectation that they can contribute to our safety and security,” says William Enck, co-author of a paper on the discovery and an associate professor of computer science at North Carolina State. “But we’ve found that there are widespread flaws in the design of these devices that can prevent them from notifying homeowners about problems or performing other security functions.”
The researchers have found that if third parties can hack a home’s router — or already know the password — they can upload network layer suppression malware to the router. The malware allows devices to upload their “heartbeat” signals, signifying that they are online and functional — but it blocks signals related to security, such as when a motion sensor is activated. These suppression attacks can be done on-site or remotely.
“One reason these attacks are so problematic is that the system is telling homeowners that everything is OK, regardless of what’s actually happening in the home,” Enck says.
These network layer suppression attacks are possible because, for many IoT devices, it’s easy to distinguish heartbeat signals from other signals.
“One potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through,” says TJ O’Connor, first author of the paper and a graduate student at North Carolina State. “Another approach would be to include more information in the heartbeat signal.”
Enck says that no system is going to be perfect, but given the widespread adoption of IoT devices, it’s important to raise awareness of their potential flaws.
The paper, “Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things,” was presented at the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks held May in Miami, Fla.