Energy efficiency, security, and comfort – these are just some of the attractions of a smart home. But unfortunately, this “networked” bliss is also vulnerable.
An increasing number of appliances are attempting to connect to the Internet to become a “thing.” Also in our own homes. According to a forecast from TÜV Rheinland, in every private home, about five hundred appliances, products, or applications will be connected within the next five years. The occupants expect more convenience, lower energy consumption, and also more security. However, there are risks associated with these indisputable advantages. Unprotected, networked systems can make entire networks susceptible to attacks from outside. Many of these “smart” products and applications are not even checked sufficiently in the factory with regard to data protection and cybersecurity. Users then create more weak points as a result of misconfiguration, incorrect or no security settings or hastily installed systems.
This allowed the Mirai malware to “hijack” surveillance cameras, refrigerators, and other networked IoT appliances with inadequate security two years ago, paralyzing large parts of the Internet with millions of inquiries. The software scanned the network for IP device addresses and attempted to log on with standard passwords and then install malware, According to a report from Symantec, cyber crime caused USD 172 billion damage for 978 million victims last year.
In addition to conventional computers, this “business model” is increasingly based on routers, surveillance systems, video recorders, or household objects that are connected to the Internet because, in principle, anything “electrical” can also be made smart. But unfortunately, these previously “inaccessible” devices are also accessible to uninvited guests.
In addition to the nasty hackers, there are also some good white hat hackers, such as TÜV Rheinland. They use “criminal” methods to discover vulnerabilities. For example, they were able to access the inverter of a solar power plant. They discovered that all the connected storage systems and even the entire power system could be manipulated from outside.
Because of this, TÜV Rheinland is calling for independent tests according to uniform standards for smart products and systems. As is the case with the familiar GS mark, consumers should be able to recognize data and cyber security. In addition to the devices, the second focus is always on the applications, since there is generally a service associated with the Internet, such as for mobile control with a smartphone.
First certificate for cybersecurity
The independent VDE Testing and Certification Institute (Hall B2, Booth 252) also acts as a hacker and looks for vulnerabilities in devices and systems. This includes cybersecurity as well as protection of personal data and functional safety. Recently, eQ-3 AG, the European market leader in the field of whole home solutions, received the VDE certificate “Smart Home – Information Security Tested” for its first wired and encrypted smart home bus system, “Homematic IP Wired.”
The Homematic IP family consists mainly of products for controlling room climate, security, lighting, and shading. With this solution, configuration, monitoring, and control take place via a free app. For this purpose, the Homematic IP Access Point enables communication between the local wireless or wired devices and the Homematic IP Cloud Service.
However, a comprehensive security concept for a smart home should not only include new purchases. All possible communication channels should be considered. The concept should also be adapted periodically to take account of new findings and attack scenarios. Old systems can turn out to be particularly high risk. The situation is no different in IT.
For example, researchers from Check Point Research tested fax machines with regard to information security. Despite the outdated communication technology, they are still used in many offices and households. To put the fax “out of step” and provoke a buffer overflow, the engineers sent faxes with malicious code disguised as image files to all-in-one printers with a fax function. The malware allowed unhindered access to the entire network. Intrusion of Trojan horses cannot always be recognized on the device itself. Such attacks are possible on many fax machines, since – as opposed to data lines – phone lines are not protected or monitored by special security mechanisms.
The complete 2018 Cybersecurity Trends are available at no cost and can be downloaded from TÜV Rheinland.
ESET White paper: “IoT and privacy by design in the Smart Home (pdf)”
Learn more about cybersecurity at the Cyber Security Forum.