Smart Home Security

IoT security hacker

We’ve talked about security a number of times on our blog but it’s an important topic that we will keep revisiting. We’re not talking here about electronic locks, intruder alarms or CCTV (although these are all important security features offered by Cyberhomes)—no, we’re talking about cybersecurity—preventing a hacker from accessing the technology on your home network.

Secure by Design

On the 1st of May, the first consultation document for the ‘Mandating security requirements for consumer Internet of Things (IoT) products’ was published. Specifically, the proposed new legislation will focus on:

  • mandating that devices ship with unique passwords from the manufacturer
  • manufacturers must publish security vulnerabilities when they are discovered
  • manufacturers must state a minimum period for which security updates will be issued.

Current IoT Guidelines

We’re pleased to see that the government are proactively driving increased standards for manufacturers to ensure their products ship with improved security ‘out of the box’. In the meantime, the government also published the ‘Code of Practice for consumer IoT security’ guidelines in October 2018 which sets out a number of good practice security measures for manufacturers to follow:

1. No default passwords

Many products ship with a standard username and password combination, such as admin/admin or ubnt/ubnt. If this isn’t changed when the product is installed then it potentially leaves it easy for a hacker to gain access to the control panel of the device. Products should instead be shipped with unique default passwords and cannot be reset to any pre-determined factory default.

2. Implement a vulnerability disclosure policy

Manufacturers should ensure that whenever they become aware of a security vulnerability in any of their products that they publish this information (and ideally with a suitable fix) in a readily-available location and share the information with competent industry bodies.

3. Keep software updated

It should be possible for the software/firmware of devices to be updateable in a secure manner. These updates should be issued promptly when new security vulnerabilities are discovered, and they sold not impact on the functioning of the device. Consideration should also be given to when products are ‘end-of-life’ and how customers are advised that no security updates will be made available.

4. Securely store credentials and security-sensitive data

All security credentials (eg username, password, encryption keys etc) should be securely stored within the device so that they cannot easily be discovered by reverse-engineering the installed software.

5. Communicate securely

When devices are communicating on your network or to/from the internet, that data should be encrypted so that it can’t be intercepted.

6. Minimise exposed attack surfaces

By default devices should be as ‘locked down’ as possible; requiring action by the installer/user to actively enable any functionality that could reduce security (eg opening ports to the internet).

7. Ensure software integrity

When powering up, devices should have a secure boot mechanism that allows them to confirm that the software/firmware they are about to run hasn’t been tampered with.

8. Ensure that personal data is protected

Devices, or more likely the services that the devices interact with, must protect any personal data that they are using (eg email addresses). A device/service must comply with General Data Protection Regulation (GDPR).

9. Make systems resilient to outages

Devices should be able to automatically recover from loss of network/internet or power.

10. Monitor system telemetry data

Any data that is collected from devices should be monitored to try and identify potential security anomalies.

11. Make it easy for consumers to delete personal data

Should be easy for owners to delete any data on a device if they are going to sell it to another user or otherwise dispose of it.

12. Make installation and maintenance of devices easy

Clear instructions should be provided, and the installation process should be as easy as possible in order to minimise the risk of inadvertently introducing security vulnerabilities.

13. Validate input data

Any input fields on a device’s configuration/usage should have validation to ensure they cannot be used as a mechanism for causing it to behave in an unexpected manner or run malicious code.

How Does This Affect My Smart Home?

The government’s initiatives are primarily focused at the ‘do-it-yourself’ Internet of Things (IoT) type products, but many of the same security principles also apply to an integrated home automation system such as Control4, Savant Pro or Crestron. If your system was installed by Cyberhomes then you can be reassured that the best practices for security were undertaken at the time of installation; for example all passwords would have been changed from manufacturers’ defaults and access from the internet restricted to only authorised users/devices.

If you have a care plan for your system (such as Cyberhomes SMARTsupport plans) then any newly-discovered security vulnerabilities of your devices should be addressed by updating firmware to the latest versions where necessary during your scheduled maintenance visits.

If your system hasn’t had a maintenance visit for a few years perhaps it’s time you invited Cyberhomes to come and do a security audit of your system to ensure it’s as secure as it can possibly be?

Posted by
on 09 May 2019