The Smart Home / Internet of Things (for the home) concept is a really bad idea for several reasons:
- It is a solution looking for a problem. People are not clamoring for expensive technology that automates things that don’t need to be automated.
- Governments look forward to using the technology to spy on you
- Although the wireless standard used, Zigbee, has security features built in, companies building these IoT devices lack security engineers who know how to properly implement those features. You really don’t want hackers taking over the types of things you will connect to your Smart Home, especially if you are
dumb uninformed enough to connect devices like your new electronic door locks.
Who needs that?
All things considered, it took longer than I expected for security researchers to uncover major flaws in the implementations of some IoT devices. From InfoSecurity Magazine via the BlackHat Security conference:
Critical security flaws have been uncovered in ZigBee, the popular short-range wireless communication standard used by Internet of Things (IoT) devices.
Speaking at Black Hat 2015 in Las Vegas, Cognosec researchers outlined the main security risks in ZigBee implementations, the devices affected and provided practical exploitations of actual product vulnerabilities.
“If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile,” Cognosec noted. “However, the use of a default link key introduces a high risk to the secrecy of the network key. Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialization and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.”
Researchers performed a vulnerable device-pairing procedure that allows external parties to sniff the exchanged network key. This represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.
Tests with light bulbs, motion sensors, temperature sensors and door locks also showed that no other options to raise the level of security were implemented and available to the end-user.
One use case highlighted in the whitepaper and Black Hat presentation was the ability of external parties able to gain control over home automation systems, which have high privacy requirements and are a huge source of personalized data.
The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers, according to Tobias Zillner at Cognosec. “Companies want to create the latest and greatest products, which today means they are likely to be internet connected. Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements – most likely to keep costs down. Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high.”
I anticipate this Smart Home concept to go away soon, just like 3D TV did and probably like wearables will. We don’t need it, and because of security flaws like these in the long run it will make our lives worse not better.
Our recommendation is to avoid all Smart Home and Internet of Things purchases. Let the security guys show how flawed the concept really is for a year or two. If the technology survives, decreases significantly in price, and becomes a lot more secure, then consider an experimental purchase.