Smart home security starts at home, according to researcher Michael Sverdlin who says that consumers should explore the security of their smart home technology and consider simple modifications or hacks to remove insecure or promiscuous features.
Not long ago, Michael Sverdlin, the back-end team leader for IoT security startup Vdoo, bought his first “smart device” for his home–a smart “button,” or switch, to control his water heater.
Sverdlin, a long-time developer with a background in security, said that while he’s not a generally “paranoid” guy, he had his concerns with how the device would affect his own privacy and security because of the very real scenarios that have already shown how easy IoT devices are to compromise.
“I’ve been part of the security world as a developer for a long time in Israel, so I’m very conscious of security stuff,” he told Security Ledger in an interview Tuesday. “But people should already know about it. There are quite a lot of security issues with IoT devices, [such as] a new IoT botnet every month that uses people’s devices for DDoS [attacks] and a ton of cases where people’s cameras have been open to the Internet or hacked and photos were used to try to extort them.”
[You might also want to read: “Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug“]
Knowing the possible implications of installing a smart device on his home network and its related application on his smartphone, Sverdlin decided that he would take matters into his own hands to ensure its security.
What he found when he peeked under the hood gave him pause. Not only did installing an app for his water heater require all of his Android device’s permissions–such as access to his contacts, microphone and camera as well as the ability to modify system settings, the Broadlink device also was sending updates about the on/off state of his water heater to servers in China.
Sverdlin spoke over the weekend at The Circle of HOPE hackers conference in New York, and told attendees about his smart-device experience, reminding them not only the importance of security when introducing IoT devices in the home, but also encouraging them to be curious and bold, and make modifications to smart devices as needed to bolster security.
“I’m trying to inspire people to look into their devices and understand what’s going on and not be afraid to hack it and to find new behaviors that they want their devices to have,” he said.
Smart-device ‘home’ improvements
The device in question was a product from the Chinese company Broadlink marketing a device under a brand called Smartgrade just for the Israeli market. Along with the button came its related Broadlink “e Smart Home” application for an Android smartphone.
The first thing Sverdlin set out to explore why the Android application needed so many permissions just to function. What he discovered when he dug into the application’s code was that it has embedded SDKs for many of the Chinese social-media companies, such as WeChat (China’s version of Whatsapp) and others.
Sverdlin said he didn’t think any of the code was malicious; rather, the inclusion of all the SDKs was probably just a result of shoddy coding or placeholder code should there be the potential at some point to control other devices with the app, he said. Still, he didn’t want to grant all of that access to his smartphone just to use the app to control his water heater.
Getting around the permissions and still being able to use the application was fairly easy, Sverdlin said. He solved that by reformatting an old tablet and installing the device app on the tablet so it didn’t have access to his Android smartphone at all. However, he soon realized this was more like healing a symptom of a problem and not the problem itself. “I started looking into what I really need to do to get it to work for me,” he said.
Sverdlin made a few of his own security modifications to the device and the application to ensure it’s not doing anything that might make his information or home network vulnerable to compromise. First he went searching to see what information and tools were available for modifying the BroadLink device firmware. He said he found an API for the button and research concerning its communication, including an iPhone library for controlling it.
Using what he discovered, Sverdlin programmed device behavior so he could essentially install a timer on the device and control it through the device’s application, one of the features he desired but that the app didn’t actually have. “So, for instance, if it’s on for 30 minutes, I can shut it off because obviously I didn’t mean to leave it on,” he said.
“A lot of the things I wanted to make sure people understand is they don’t need to do hard things, they don’t have to be security researchers,” Sverdlin elaborated. “Usually a lot of legwork has been done and people have already figured it out–the hard parts are figured out.”
To stop the device from sending any of his information–even about the state of the device itself–back to the parent company in China, Sverdlin said he used the parental controls of his own home router “to disallow the button from speaking outside to the Internet.”
“Whatever it was sending, it’s not sending anymore,” he said. “It can’t talk outside of my network.”
Sverdlin also doesn’t use the application that came with the device to control the button. Instead he wrote his own custom code and put it on his computer.
“When I want to turn it on and off I talk with this small server and it controls it within the network,” he said. “So there is no reason for it to talk outside of the network. Now I can also see in the app itself, there is no more on/off state saving. The device can’t send it.”
As mentioned before, even if you’re not as inclined as Sverdlin to go digging into the guts of your smart device and associated app, there are shortcuts to making modifications that are accessible to the average-tech-minded person or professional, he said.
“You can find a Python library or code that lets you control it and find a cost effective way of hacking it and making it work like you want it to work,” Sverdlin said.
IoT security begins at home
Even if this seems like too much time and effort, there are still some simple things you can do to make sure your IoT device isn’t putting your network or data in harm’s way, he said.
“Some of the things like blocking using your router are simple,” Sverdlin said. “They also should at least be aware there might be a malicious update.”
To this latter point, device owners should check periodically for firmware updates to their devices to ensure that they get any of the latest security patches if the manufacturer finds and repairs flaws, he said.
This, in fact, is essential to keeping IoT devices in the home secure because IoT security–due to the fact that manufacturers at this point are more focused on putting in features consumers demand than making sure devices are secure–is the responsibility of people buying the device, not on the provider, he said.
“The burden for your own safety is always on you,” Sverdlin said. “Even if the devices themselves become top of the line security wise, it’s still on you to keep track of whether a device has been hacked to see if there is a new update. There is no way the device manufacturers or anyone else but you can protect you.”