[German]The Internet of Things (IoT) enables you to set up a smart home in which you can remotely control your door locks, lights, thermostats, and many other things via Internet, using your smartphone and an app. But is this environment secure? German eco association warns against smart home hacks, which can lead to the massive shutdown of photovoltaic systems or other problems.
Visiting a site like www.smartthings.com shows us the funny new world of "smart things". "Add connected locks and cameras to enhance your setup", "Monitor activity throughout your home", "Get instant alerts for unexpected events" are the buzzwords given at such sites. And according to this PC Magazine article,
the Internet of Things and smart homes made it very easy (and relatively affordable) to monitor your home from just about anywhere with a smart security system. Smart security systems are highly customizable and are available as do-it-yourself kits or as full-blown setups that require professional installation.
On the other hand, within a smart home, all IoT devices are connected via WiFi to your home network and then to the internet. We have learned, that IoT devices like routers or surveillance cameras may be turned into members of the Mirai bot net and be used for massive DDoS attacks. You Can Now Rent a Mirai Botnet of 400,000 Bots. as bleeping computers reported in the linked article. A few days ago US sites like engadget reported Hackers hijack Philips Hue lights with a drone. I stop here to link further hacks and vulnerabilities in IoT and smart home components. As a conlusion, German eco-association warns against smart home hacks, which can lead to the massive shutdown of photovoltaic systems or other problems.
Acccording to German eco (Verband der Internetwirtschaft, association of internet economy), smart home systems often meet only low (or simple no) safety standards. This makes it possible to switch off lights in houses with tools available on the Internet (see the link about the Philips Hue lamps hack by drone), drive the window blinds up and down, or take private photovoltaic systems off the grid.
Marco Di Filippo, a German security specialist, demonstrated such scenarios within his workshop "Licht aus, Vorhang auf, Bühne frei! Smart-Home-Hacking", held at German Internet Security Days in September 2016 in Brühl near Cologne. Eco cites Di Filippo that the "existing security gaps leads to the risk, that cyber criminals are hacking thousands of publicly accessible photovoltaic plants and taking the systems of the grid." This allows them to make sudden fluctuations in the electricity network – with unknown consequences. Smoke detectors, monitoring cameras and locking systems for private households can also be manipulated with little effort. "If different attack scenarios are combined at a pre-determined time, this may have far-reaching consequences.", says Marco Di Filippo.
Attack areas of the public infrastructure are underestimated
"Every device in the IoT, from the refrigerator to the car, to control systems in the industry, is potentially vulnerable," says Di Filippo. He found safety gaps also in many public utilities such as waterworks or swimming pools. He warns against a still 'too much thoughtlessly attitude' on the part of many responsible persons, who still use unencrypted connections. But the damage potential of many small security gaps is huge. "Hackers find automated attack potentials and use them sooner or later for attacks. We were able to demonstrate this with different experiments, "says Filippo.
Many small safety gaps ensure a huge potential damage
If there are security holes, they are also reliably discovered and exploited by hackers. For example, IoT search engines such as Shodan or Censys scan the IoT (Internet of Things) for all devices that can be accessed remotely. "All components that are integrated into the local network and thus possibly have access to the Internet are potentially vulnerable," says Markus Schaffrin of the eco – Verband der Internetwirtschaft e.V. "Manufacturers should rely on established standards for encrypted connections."
Eco -advises on solutions that require a user authentication before accessing his smart home system remotely. A particularly high risk are offered via unencrypted connections and using standard logins, which can not be changed. Owners of older systems (also made from manufacturers who are no longer on the market) should revamp or retrofit their systems, accordingly to eco.