20-06-2022 | By Robin Mitchell
If the IoT industry has taught us anything, it’s that we need to predict problems before they materialise, and the introduction of the smart home may be vulnerable to a serious issue; house moving. Why is it more important than ever that engineers try to predict issues? Could smart homes be a ticking time bomb, and how can engineers solve this challenge?
Why is it more important than ever for engineers to predict problems?
When developing a product, it is essential that engineers come up with all manner of tests that push the product to its absolute limits so that when the product is used in a real-world setting, it will perform reliably. For example, a smartphone will be tested for wide temperature swings to simulate changing environments, it will be subjected to drop tests to ensure circuitry stability, and its processor will be pushed to its maximum capability.
However, the changing nature of electronic devices, the increased use of data gathering, and the use of internet-connected devices have introduced engineers to a multitude of issues and challenges that have never existed before. One of these challenges that hit the engineering industry hard was the selling of insecure IoT devices. While an individual device may not be considered a security threat, tens of thousands of identical devices connected to the internet create a powerful platform for cybercriminals to abuse. This type of problem does not show up during the testing phase but must be anticipated by engineers.
The same applies to the use of AI; while it has been shown to be highly beneficial in automating tasks and increasing efficiency, it could also cause a public backlash if employees are made redundant, and the need for large amounts of data could make the public feel uncomfortable. If data is abused by engineers, public outcry can result in government action that could see new laws introduced or fines issued.
Could Smart Homes be a ticking time bomb?
One area that could become a significant threat if not dealt with immediately is the introduction of the smart home. Even though smart homes are still in their infancy, with devices being more niche than practical, the integration of permanent devices could present homeowners with a serious issue; data vulnerabilities.
It is well known that internet-connected devices present security challenges by exposing networks to outside attackers, providing a platform for criminals to launch attacks from, and using vulnerable devices for spying. However, if smart devices become integrated into the very construction of a property and cannot be removed, then moving house will likely leave previous homeowners vulnerable to data theft, privacy invasion, and even password vulnerabilities.
It is likely that while devices integrated into a smart home will be left behind, the router that bridges all these devices to the ISP will be introduced by the new homeowner. Considering that such routers do not protect LAN networks, it would be easy for a rogue device to be left behind and connected to this network. Furthermore, pre-existing devices in a home could be flashed with malware to the previous owners to have remote access, which could be used as a VPN for illicit activities.
But it’s not just the new owners that are vulnerable; the previous owners are just as much at risk. It is highly likely that smart devices in a home are designed to relay their data to some central server, and this will likely be remotely located as a cloud service. In order to connect to such a server, each device will need to store API keys and other credentials, all of which will be highly private. Thus, new homeowners could, in theory, access these devices and use it to access services used by the previous owners.
How can engineers solve this challenge?
Solving this challenge presents two challenges as devices would need to be protected against old owners and new owners. Protecting against old owners is relatively easy as devices would only need to incorporate a reset button that internally wipes all stored data, including flashed firmware and replace this data with a factory-set protected memory that cannot be reprogrammed. Of course, this would also remove any updates to the firmware that could include security and vulnerability patches. Thus, wiped devices would need to be immediately updated by the new owners.
Protecting devices against new owners is more challenging as devices that are not wiped by the previous owners could retain private information. One method for protecting against this is to incorporate memory systems that don’t allow for external access (i.e., internal flash memory in a microcontroller with read-protection). Another method for protecting against this type of attack is to incorporate on-memory encryption that prevents outside attackers from gaining access to the contents of external memory chips.
But this would not prevent an attacker from eavesdropping on the device and observing connection attempts. For example, a non-wiped device would still try to access a remote server used by the previous owners, and an attacker could monitor this traffic and try to spoof the remote server to obtain login details.
Overall, smart homes present a range of issues that go beyond the scope of the function of a device. It is essential that engineers try to foresee how their products can be used for malicious applications as well as try to incorporate robust security features that allow users to quickly protect their data.