Hacking a Smart Home in the Age of the Internet of Things

October 13, 2016

Charlie Miller and Chris Valasek (security experts with Uber's Advanced Technology Center) demonstrated a Jeep Cherokee hack in 2015, during which they took control of onboard systems. The hack took place over the internet, from the comfort of their homes, and exploited a vulnerability in the Jeep's entertainment system to gain initial access, which was followed by their moves into other systems, such as the steering and brakes.

The following hypothetical hack shows how a similar scenario might play out in a future smart home in the age of the internet of things (IoT).

Imagine it's 1:30 a.m., and you've just finished preparing a presentation for an important meeting later that day in another city, and you need to wake up at 6 a.m. to catch a flight. You live in a smart home in the age of IoT. Almost all of your appliances are connected to a centralized wireless network, and they "talk" to one another. Your fridge scans the barcodes of items within it and sends automated messages to your phone—to add milk to your grocery list, for example, when you're down to your last gallon. Your coffee machine is programmed to make your favorite brew at the same time every morning.

You get into bed and tell your alarm clock (which is routinely set for 7 a.m.) to wake you up at 6 instead. As you try to go to sleep, you are woken by a notification on your phone: Your shower has noticed that you changed the setting on your alarm and wants to know if it too should activate one hour sooner. You click yes and try again to doze off. But the coffee machine also noticed the change and sends a similar email. Then the toaster sends yet another. At this point, you are fed up and tell all of your appliances you want no further notifications until you get back in a few days.

The next day, robbers show up at your home, having found out from social media that you will be away. They are part of a criminal organization that paid more than $100,000 for a zero-day exploit (the opportunity to use an undisclosed computer-software vulnerability before a developer can fix it) specifically targeting the networks of smart homes. Either the robbers themselves were trained in the use of programs to hack into your smart home or they have help from programmers hired by their organization.

The hack begins through a security vulnerability in your toaster's Bluetooth. This may seem innocuous, but the toaster communicates with the smoke alarm, and the smoke alarm and security system are part of a subsystem monitored by your home security company. Once inside your system, the robbers determine that you have disabled notifications for your appliances, and that—in your haste to leave— you forgot to set them on vacation mode. As a result, neither you nor your home security company are notified when the robbers' hack moves from the toaster to the smoke alarm and then to the security system. They proceed to turn off your home security, unlock your doors, enter your house, and take what they want.

The above scenario illustrates three key points:

  1. A security system is only as strong as its weakest link
  2. Cyber attacks are often at least partially a result of negligence on the part of human users
  3. The world of the future is one in which almost every device will be connected to almost every other

Points 1 and 2 are already true, but the problems they pose will be amplified in the future. In particular, points 1 and 3 together pose a significant challenge: The more devices are connected to one another, the more potential sources there are for the weakest link, and the harder it is to secure a network.

Add a comment


Your email is never published nor shared. Required fields are marked *.

Name: *
E-mail: *
Comments: *
Error

We were unable to submit your comments. Please feel free to contact us directly if you have any other questions about this content.

Your feedback has been submitted. Comments are moderated.

Please feel free to contact us directly if you have any other questions about this content.

Don't miss a post!
Subscribe via email:


Close

Loading Video...

Loading...

Close

You’re almost done.
We need to confirm your email address.
To complete the registration process, please click the link in the email we just sent you.

Unable to subscribe at this moment. Please try again after some time. Contact us if the issue persists.

The email address  is already subscribed.