Bench Talk

Bob and Alice Smarts are very excited about their new home automation system. It is the very latest in the latest Information Technology consumer space, incorporating all of the Smarts' smart devices, tying everything together. They can adjust their thermostat from far away. They can view the security system's cams to check on the pets. The baby monitor comes in handy to check on Baby Smart, the newest of the Smart kids. The refrigerator keeps track of inventory and sends reminders. Their smoke detectors and home security system now work together, ready to notify at a moment's notice. All via smart phone. And on and on.

Home automation, with the monitoring and control it brings, comforts Bob and Alice Smart. They have no idea of the internet dangers lurking around their new system. Everything is bright and shiny and new. They don't follow security blogs or security email lists. If they encounter some IT-related story online, they move past it to the latest football news.

The notion of an "attack surface" available to probe and exploit by outside forces isn't even on the Smarts' radar. It’s an unknown unknown. Nevertheless, now they have a huge attack surface. Before this era of smart devices under the umbrella of home automation, their attack surface was small. In the dim past, their main security concerns, when they thought about security, hovered around spam. They are still vaguely aware one should not click willy-nilly on links in spam. Or in email that looks like official bank email. Sometimes they do click because the email looks legit, and nothing bad seems to happen.

Aside from spam, there are no other security concerns. The Smarts don't need to know. The manufacturers define a "need to know basis." Sure, there are manuals but always in small print and smacking of technobabble. The most important thing is going from opened box, tossing foam packing, to powering on in minutes.

The Smarts rely on "plug and play." Just plug it in and it magically works. Years ago, they never bothered with learning how to set the clock on their VCR. The important thing was instantly recording or playing with push of a button. In the same way, these days, Bob and Alice don't bother to change the passwords on their smart devices from the factory-set password.  It's easier to remember the factory passwords of "12345" and "password." Besides, technology will protect them. For example, there is no reason to lock their smart cars. After all, if anyone steals the car, their long-standing vehicle monitoring subscription service will track the car down and render it inoperable. Besides, now they can monitor the car via their smart phone! Thieves know these things and that's why no one steals smart cars, Bob and Alice reason. One day, they will be the early adopters of a driverless car. Why, if anyone steals that car, it will just drive itself back home at the first chance it gets. Obvious.

But their home automation attack surface is huge for many reasons. For example, controlling and monitoring devices from outside the home means data travels across the internet hinterlands, outside the home network. The Smarts can check any time from the country club on Baby Smart in the crib while the babysitter texts endlessly in the living room. This gives Bob and Alice a feeling of control over their lives.

If the home automation data stays inside the Smarts' home network, security depends on the firewall and associated wired/wireless router -- taken together, these are "the gateway." Ah, the router. Yet another device with an unchanged simpleton factory password.

Like many consumers, Bob and Alice depend on "black boxes" provided by their ISP which include appliance firewalls with limited logging ability and customization, sometimes even disabled by naive users for "more speed, more access." But wireless access points can default to the weakest security or no security at all. And this is easy fodder for those virtually hammering at the house from the outside. Even if their main firewall is weak, no worries: Most desktop and laptop computers come with a minimal firewall on by default. Yet, the Smarts do not realize that their tablets and smart phones have not one firewall among them, by design.

Another reason for the home automation huge attack surface is the many smart phone apps involved. In the past, excited to download the latest app, the Smarts paid no heed to the fine print in the "privacy agreement" text momentarily glanced at, existing on some web page somewhere. Temporal agreements that allow the app maker to strip-mine contact lists and other smart phone treasures; and then to sell the information to undisclosed, unknown third parties, all unwittingly "authorized" by the end user eager to try out a new game. But now that smart phone apps control home systems and appliances and monitor from afar, is allowing open access all that wise?

Another factor that widens the attack surface, making a yet easier target, are the many products rushed out the door with sloppy security:

-        Weak encryption or no encryption.

-        Mindless factory passwords.

-        Plain text emails with "reset" passwords visible to internet driftnets.

-        Poor documentation.

-        Undocumented landmine "features."

And, always bugs, especially security-related bugs.

The Smarts are very excited about their home automation system. It is an intelligent-sounding diversion when guests are over and the Smarts want to avoid pockets of silence in conversation. They are unaware of the pecking, scratching, hammering, and probing against their flimsy residential firewall. They have no idea that several of their computers and smart phones are now participants in various botnets. They are not aware when Eve drops in to eavesdrop and spy on the Smarts from far away. Or Mallet easily establishes MITM (Man In the Middle) and modifies data between devices.

The Smarts are blissfully unaware of the IoT search engines methodically crawling blocks of residential IP blocks, looking for wide-open devices to exploit, like thermostats, refrigerators, sprinkler systems, alarm systems, baby monitors, lighting, door locks, and smart cars. The Smarts have no idea, as they occasionally look up from their smart phones to glance at their smart TV, that other eyes are staring back at them. In their smart house. Surrounded by smart things.

Next time, gather 'round the digital campfire for Home Adventures Part III, where Bob and Alice begin to forge iron-tested steel against the internet legions of darkness, sturdily bulwarking the home automation ramparts.

[1] https://www.mouser.com/blog/home-automation-adventures-part-i

[2] https://www.mouser.com/applications/internet-of-things/