As our homes become more and more connected to the Internet and the outside world, we should ask ourselves: is this a good thing? In theory, It seems like a pretty obvious answer. Connecting our Home security systems, Home security cameras, Smart locks, & even household appliances like washer and dryer to the Internet would allow us to check in on our home and our loved ones remotely using her cell phone or another device, ensuring that all of our home security equipment is automatically updated. Nest cameras, for instance, allow us to sleep tight knowing that the footage from any camera can be accessed at any time, As it is securely stored in the cloud rather than on-site. However some of these options posed significant security risks as well, which have not been highlighted in the media. Computerworld’s Darlene Storm did a great analysis of the top 10 “smart” home security systems, reprinted below:
Connected home security systems are connected via the cloud to a mobile device or the web for remote monitoring, and come with a variety of features such as motion detectors, door and window sensors and video cameras with recording capabilities. Although “the intent of these systems is to provide security and remote monitoring to a home owner,” HP researchers said (pdf), “given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home.”
“The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” wrote HP’s Daniel Miessler.
HP Fortify found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces.” Under the category of insufficient authentication and authorization, the researchers reported (pdf):
- 100% allowed the use of weak passwords
- 100% lacked an account lockout mechanism that would prevent automation attacks
- 100% were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access
- Four of seven systems that had cameras, gavethe owner the ability to grant video access to additional users, further exacerbating account harvesting issues.
- Two of the systems allowed video to be streamed locally without authentication
- A single system offered two-factor authentication
“Properly configured transport encryption is especially important since security is a primary function of these home security systems.” Yet regarding the encryption that is critical for protecting “sensitive data such as credentials, person information, device security settings and private video to name a few,” they discovered that “50% exhibited improperly configured or poorly implement SSL/TLS.”
70% of the home security systems allowed “unrestricted account enumeration through their insecure cloud-based interface.” Mobile didn’t fare much better as “50% allowed unrestricted account enumeration through their mobile application interface.”
Regarding firmware and software, “60% indicated no obvious update capabilities and none offered any kind of automatic update functionality.” One system updated firmware via FTP, which would allow an attacker to capture credentials and have write-access to the update server. Three out of 10 systems let the users decide whether or not to accept the latest firmware update.
FTC chairwoman Edith Ramirez recently warned of privacy threats from IoT device data and of course HP researchers found privacy issues as well. “70% made video streaming available through their cloud-based web interface or mobile application interface.” They added, “These systems carry a concern with data privacy as well as the privacy of video images from inside the home due to the use of video cameras.”