Internet-connected smart devices can deliver significant benefits to users' lives, anticipating needs and providing services in areas from entertainment to energy use, write Jamie Bennett of Schneider Electric.
But vulnerable devices present security risks, leading the UK government to propose new mandatory cybersecurity measures.
Thanks to the convenience they offer, most homeowners now have around 10 internet connected devices in their homes, ranging from smart video doorbells, smart speakers and heating controls to wearable health trackers, smart appliances and electric charging points for their car.
Smart technology, when used correctly, will allow growing populations to be serviced more easily. However, if not secured properly, the growing uptake in connected technology presents a number of different ways for an unauthorised user to access the device and the data it stores.
While some hacks might seem harmless, for example a hacked smart light being turned on and off remotely at random intervals, there are also instances where security cameras, webcams and connected doorbells have been accessed, allowing a hacker to violate the homeowner's privacy.
One example occurred in 2012, where 700 live video feeds from Trend- Net security cameras, including devices inside businesses and children's bedrooms, were accessed and published online by a hacker who was able to guess the cameras' net addresses due to a vulnerability in the devices' firmware.
Personal data exposed
Another issue that arises with the security of smart technology is personal data, which is often required for devices to function correctly, and how this information is stored and used. For instance, smart thermostats, such as Google's Nest and Hive from British Gas, collect a host of data in order to offer advanced functions.
Many fully-featured heating controls on the market now allow homeowners to create a heating schedule based around their regular routine. Some even feature smart ‘away modes' that can be activated using geofencing technology when the connected phone is a certain distance away from the house. All this data could provide a hacker with everything they need to know about when a property is empty.
Additionally, weather compensation technology works by using online weather reports, based on postcodes, which also presents a threat of exposing personal data. In one case, a smart heating controller using online weather reports was found not to be encrypting the postcode when searching for data, leading to a number of customer complaints.
Wider systems compromised
While a hacked device can leave a homeowner vulnerable and their data compromised, it can also be used for a much larger scale attack. In recent years, thanks to the rise in use of smart technology in the home, compromised devices have become vulnerable to ‘botnets'. In this scenario, malware allows an unauthorised source to use the device, and it becomes part of a network of thousands, which all target one website simultaneously, to overload its servers and bring the website down.
Malware allows an unauthorised source to use the device, and it becomes part of a network of thousands, which all target one website simultaneously, to overload its servers and bring the website down
For example, the infamous Mirai malware infected more than 300,000 devices in 2016, which were then used to carry out distributed denial of service (DDoS) attacks and other criminal activity. As a result of this attack, many sites - including Reddit, Twitter, Amazon, Netflix and the BBC - became inaccessible to visitors.
Another large attack took place over 13 days in spring 2019, where over 40,000 connected devices, mostly in Brazil, were used to target a company in the entertainment industry, according to the company's security consultant.
Whenever a consumer is looking to buy a connected device, it is important to purchase from a reputable manufacturer to be assured that it will include necessary measures to protect personal information. Any manufacturer should ensure that data security is taken incredibly seriously.
Data that is collected should be used only to perform the necessary functions and when it needs to be stored, it should be encrypted and secured, whether locally or in the cloud. When communication happens between the local device and the cloud, all traffic should be encrypted to provide the highest security for homeowners, utilising industry standard protocols such as SSL over a TLS connection, as well as HTTPS.
Regulation & policy
To a homeowner and consumer, security should be transparent and taken care of by the manufacturer adhering to best practices and legislation. In October 2018, the UK government published a Code of Practice for Internet of Things Security, alongside accompanying guidance, to help industry implement good security practices for consumer IoT. However, after continued shortcomings, the government is now considering mandatory measures, consulting in 2019 around three options.
These are: improving basic cybersecurity features by giving each device a unique password rather than a universal factory default setting; the manufacturer providing a public point of contact in order that security researchers and others are able to report vulnerability issues; and manufacturers explicitly stating the minimum length of time for which the product will receive security updates.
We should see concrete proposals begin to emerge in 2020. The US state of California is one step ahead on this, bringing into force a new bill in January 2020 aimed at regulating the security of IoT devices.
Looking to the future
As technology progresses, the concept of the ‘smarthome' has become more frequently discussed when imagining the future development of Smart Cities. However, as this concept begins to grow here in the UK, it is important to consider what implications this could mean in terms of security, and how our current systems would need to be upgraded in order to deliver a fully functioning Smart City.
For example, if every home became part of a smart network, this could provide a hacker with a vast number of devices that could be used to attack a network. If a whole city was running off the same network, there are a number of other ways that a hacker could look to cause disruption. This ranges from sophisticated cyber-attacks to the infrastructure of smart cities, such as the National Grid and traffic light systems, as well as system lockdown threats, tampering with communications between smaller consumer devices, and personal consumer data being accessed by unauthorised people.
With the looming threat of state-run cybersecurity attacks, it is now more important than ever to build security into the foundation of our connected future. While fully functioning Smart Cities are a long way off, we are certainly heading in the right direction.
By starting in people's homes and building this technology upwards into the infrastructure of the grid, Smart Cities will not only allow the population to be serviced more easily but will contribute to a greener and more sustainable future.
Jamie Bennett, director of connected living at Schneider Electric