I have a smart house. When my doctor and lawyer friends are in it.
When it’s just me it’s a smart-arse house.
This is the problem. Consumers are incredibly naive like this about what awful things can be done with these devices.
Home routers are notoriously unsafe. Some are easily cracked from the outside (WAN) and most are easily cracked from the inside (LAN). Your smart devices are on the inside of the network. (Guest or not.)
So: “smart” device is exploited to get into your router and from there into anything on your network.
I own several Amazon devices. All of them designed to prevent being rooted. I have rooted all of them.
As I read it, the German code involved a one-time pad, which is a key that is only used once then is supposed to be discarded. The Germans began every message with “Heil Hitler” or something like that. The analysts discovered the same coded phrase in two different messages, which tipped them off that the Germans got lazy and reused one of the pads.
Here’s what I did for my Echo Dot and Wemo light switch:
- Plug in Alexa
- Install phone app to control Alexa
- Use phone app to connect Alexa to your WiFi network
- Replace wall switch with Wemo switch
- Install phone app to control Wemo switch
- Use phone app to connect Wemo switch to WiFi network
- Use Alexa phone app to enable “Wemo” skill in Alexa
Using a smart light bulb is even faster because there is no wiring involved. Once you have set up the Echo and the first device, adding more devices takes a minute.
Security concerns are valid, and even as a software engineer who likes to think I’m smart about these things I am not aware of all the exploits for these devices. But it does sound like you need a certain physical proximity to the network, don’t you? If not, how are these devices any more vulnerable than my desktop computer?
My wife and I moved from a house with attached two-car garage to an apartment with a single-car unattached garage. We only got one remote control for the garage, which means that whoever is in the car with the remote, the other person can’t get into the garage to get anything.
I found a Bluetooth-enabled device that plugs into the push-button for the garage door on the inside of the garage. The device is paired to our phones, and only has a range of about 30 feet.
I believe it is somewhat safer than a wifi-enabled garage door opener, since it is not accessible from the internet. In order to pair a phone with the device, the phone and the device almost need to be touching. Once they are paired, the range is further. Plus, if someone does manage to break the security, they only thing they can get to is some junk in the garage and a car.
The device cost about $50, and does not modify the garage door opener at all.
Off by quite a bit. Not one-time pads but daily key (settings) changes. Sometimes an operator would goof up and re-use a previous day’s key, but that didn’t happen often enough. Standard starts of messages were a big boost. One operator went so far as to send the same report day after day along the lines of “all clear, nothing seen” so Allied planes were directed away from that place so the nothing-to-report message kept being sent out as often as possible. Knowing much, if not all, of the plain text of one message helped determine the key of the day for many other sites.
Remember, most security issues are caused by people not being aware of how easy it is to mess up horribly.
</ hijack>
It seems like the problem in this case with smart devices is that they’re not smart enough. All my dumb home systems are smart enough to not start talking at 2am.
I was over at a friend’s house the other day, and he was showing me his (admittedly cool) smart light LED strips in his living room and how they can change color, changing the mood. And then he pointed to one in his bedroom. “This one doesn’t seem to come on reliably”. I laughed out loud. That’s smart devices for you. Cool features, but not very reliable.
I write software for a living. The last thing I want to do is come home and debug my fucking lighting system.
All devices are vulnerable. So claims like this are a non-sequitur; an encrypted laptop in a Faraday cage that’s never touched a network is also vulnerable, but that doesn’t mean that all notions of security are bogus, or that we can’t differentiate between different levels of security.
Rule 0 of security is simply not being a high-value target. No one really gives a shit about your “home network” (as if that was some inviolable thing anyway) because it has almost nothing of value. Even your credit card numbers are more easily harvested by other means, such as from the numerous hacks of retailers.
Rule 1 is just not doing the really dumb shit, like leaving devices wide-open to the internet with default passwords. The famous Mirai IoT botnet isn’t some sophisticated thing that exploits vulnerabilities in the OS network stack. It’s not much more than port scanner with a bunch of default passwords. Don’t do that and you’ve avoided 95% of the problem.
Rule 2 is layered security. As mentioned, everything is vulnerable. But different stuff is vulnerable in different ways, so the more obstacles you have, the more likely you are to have filtered out the attackers.
It take a few more rules to get to “minimize your surface area”, which is definitely an area where IoT devices are making things easier for attackers. But this was already a trend long before IoT; the average family probably has 10+ devices on their home WiFi these days, with tablets, phones, and the like all being popular.
Perhaps rule -1 of security is that there’s no fundamental difference between computer and electronic or physical security, and minor gaps in computer security are pointless to whine about when there are vast chasms in the other realms.
For many decades (and even today), garage doors could be opened trivially by sending out a fixed code over a radio transmitter. Oh no! Someone could get into your garage and steal your stuff! Except that it almost never happened because it was more trouble than it was worth.
Or that people used pagers for decades, which transmit in plaintext and are easily intercepted. In fact they’re still in use–I still see traffic from a local hospital, with ostensibly confidential medical information transmitted right in the clear.
Not to mention that most door locks can be bypassed in seconds with bumpkeys or other techniques. Again–there’s no epidemic because almost no one cares about your stuff.
All of this is not to say that security isn’t a problem on the internet or that people shouldn’t take precautions, but most of the damage isn’t to individuals. In a way, that’s a problem in and of itself, because for the most part people don’t care if they’re part of a botnet that’s DDoSing someone; so their internet goes a little slower, big deal. It’s only a big deal to the target.
So let’s not go Chicken Little. Many of these IoT devices will prove to be vulnerable, just like every other device we’ve used, and some problems will result. It won’t be anything we’ve never seen before, and no more than a tiny fraction of consumers will be noticeably affected.
Another garage door remote is about $30 at Home Depot. I’m not seeing any advantages in your solution.
What about this:
Yes, that was a result of the Mirai botnet that I mentioned. Note that the target of the attack was not the owners of the devices, but the company Dyn. No one had their home network infiltrated, even though that was probably possible, because it just wasn’t worth it on average. Probably most of the end users didn’t even notice that they were part of a botnet. But each compromised device added up to a big result to a high-value target.
As I said, almost all of the devices were compromised due to not changing the default admin account. The makers of these devices certainly bear some responsibility in having non-unique admin passwords–they certainly know that a lot of people aren’t going to change the defaults, and it’s irresponsible to have so many unprotected devices out there. But at the same time, the problem could have been avoided trivially by changing passwords, or by not having them exposed to the open internet.
This still would not ensure perfect security–as said, no device is perfectly secure, and a lot of these device companies don’t have the resources to do a really good job–but it would certainly make things harder. Hard enough, perhaps, to make this kind of attack no longer worth it.
Yeah, I think the biggest risk to homes is that your teenage neighbour might leech your wifi. Small businesses trying to be trendy are possibly at slightly higher risk of actual malicious intrusion.
Just as another example of a gaping security hole that existed long before IoT was the buzzword du jure, a while back I was cruising the airwaves with a narrowband FM receiver when I ran across a couple of people having a conversation. They weren’t ham radio operators; they were my neighbors (from a few buildings away, I suspect), and they had a baby monitor which broadcast totally uncoded analog audio.
I didn’t stick around to listen once I realized what it was, but it would have been trivial to do so with zero chance of detection. Millions of these things have been sold, which broadcast any conversation within range to anyone with a $30 receiver, even a few hundred meters away. But no one cares because there’s almost nothing of value to be learned from typical household conversations.
CookingwithGAS;
While this won’t help with all of your woes, if you get a UPS and plug your modem and router into it, they will stay up during brief power outages, which will let Alexa connect to the still on network when she reboots.
I put a UPS on my router and modem so I could still use my laptop when the power goes out. Living in a rural area, we loose power fairly often. My laptop usually runs out of battery before the UPS does, but it’s still nice to have connection for part of the outage.
Thank you for the practical suggestion! I was looking at those in my local Micro Center a while back and the difference in prices can be significant. I have to do a little research to find out what I really need.
I love technology, but I do draw the line at smart crockpots. Seriously. My mom and I were walking around the Evil Empire (Walmart) and saw a crockpot that hooks up to the wifi and can be programmed by an app on a smartphone. My mom said she’d rather have a dumb crockpot. I have to agree.
Some drawbacks still haven’t been fixed: