swisscom: smart homes & security risks
TRANSCRIPT
Smart Homes &
Security Risks
Gregory Grin - 2015
3
Swisscom Smart Living
4
The more we transform our life in a digital life, the more intimate information is potentially available
But, this is not a new situation. This is already the case in a “non-digital” life…
And we take measures to protect ourselves
There is no reason to not do the same in our digital life and while using Smart Home solutions
It looks like there is a Digital Paranoia trend nowadays
Proposed approach while considering Smart Home solutions for your house: A Healthy Digital Paranoia
1. Physical Access
2. Wi-Fi
3. Passwords
4. Cloud vs. local
5. Connectivity within the Smart Home System
6. Interface
7. Systems with preventive measures
8. Firmware
“Please destroy all my smart home system, all my home automation & comfort, as well as all my rainy Saturday afternoons spent at configuring it and making it work…”
The so called “Hammer Invitation”
Consider locking your Ethernet sockets
Secure your Wi-Fi network
1. Don’t stay with the default settings (there is a hacker public database with them)
2. Create a long complex password chain and do not hide it on a sticker under the router…
3. Don’t use your name, home address or other personal information in the SSID name
4. Enable the highest level of network encryption, and use a Smart Home system that supports it
5. Consider MAC address filtering
6. Potentially reduce the range of your Wi-Fi network
7. Upgrade your router Firmware
8. Consider a separate home network for your smarthome installation
Passwords
§ Don’t stay with the default settings of your Smart Home system
§ Create long and complex passwords for your Smart Home devices
§ Don’t use the same password everywhere
§ If you are afraid to forget your passwords, use a password management tool
Cloud vs. local
§ Consider a Smart Home system with which you can specify what you want to be on the cloud and what you want to keep local for privacy reasons
§ Local / cloud duplication is also an interesting feature from a security point of view but not only
§ How is the communication between the cloud and the Smart Home System handled? Https? With a trusted certificate? With mutual SSL authentication? With an additional level of encryption?
§ Where is the cloud? Is it hosted in a serious place that would resist to attacks?
§ Does your system providea standalone option withoutinternet and cloud?
Connectivity within the Smart Home System
§ How do the sensors communicate to the outside or to a Smart Home Gateway?
§ Is it possible to use a mix of wireless and wired connections?
§ Does the system use standards (KNX, Z-Wave, Dect,…) that enforce a reasonable level of security and encryption?
Interface
§ Does your system require to change any default password at start?
§ Does it allow and encourage the use of strong password (>=8 characters, upper case, symbols, numbers)
§ No hard-coded password is used
§ How does the interface react after multiple attempt of login with wrong password? (brut force attack)
§ How does automatic login work?
§ Is it possible to disable features that are not being used?
§ Is the web interface secured from bugslisted in the OWASP top ten vulnerabilities?
§ Can you modify privacy and securitysettings?
§ Is there a privacy mode? How does it work?
System with preventive measures
§ Does your system react to jamming? How?
§ Does your system react to network and Wi-Fi failure? How?
§ Does your system send you notifications when it changes of state?
§ How does your system restart and reacts when there is an outage?
§ Is there a fail-safe mode?
§ How does the system/devicereact to tempering?
§ Does the system requireuser’s approval to enter inmaintenance mode?
Firmware
§ Is there a simple and secured update process?
§ Are firmware upgrades of the devices signed and encrypted?
§ Can firmware upgrades be controlled by users?
§ How does the system react in terms of unrequested firmware upgrades?
Conclusion
§ Unfortunately, it is difficult for users to secure their Smart Home themselves, as most systems do not provide a secure mode of operation
§ Nonetheless, there are advices to follow that reduce the risk of attacks
Thank you!
Gregory Grin - 2015