Mr. Robot and Smart Home Security
The premiere Season 2 episode of Mr. Robot shows the smart home of fictional character, Susan Jacobs, getting hacked; from shower temperatures changing to the projector suddenly turning on. It’s the IoT dystopia customers fear when connecting their homes to the Internet, but how close to reality is this script? I asked two IoT smart home experts, Doug Drinkwater, Editor of Internet of Business, and Phillip Steele, CEO of nCube.
Doug Drinkwater, Editor of Internet of Business
The chances of the situation in Mr. Robot playing out is highly unlikely. There have been examples of what you would call IoT security hacks such as the Jeep hack; where researchers worked with Wired magazine to hack into a car and make it stop – while it was moving. But what we have to note is that, that Jeep hack was a test, which took two years to carry out. More often than not, hackers go for the easiest and most profitable attacks possible – most aren’t interested in the difficult and complex.
I don’t see many cyber crime groups trying to leverage security vulnerabilities in a virtual world to make a benefit in the physical world; that seems far-fetched. From my perspective hackers are far more likely to take information about us – like our credit cards – and put it on the dark web. Selling these details on can make them a huge amount of money.
The fundamentals of security, certainly from a defence point of view, is to make it as difficult as possible to attack the network so that after, a certain period of time, those groups will look for easier targets.
Information security is a constant challenge for all organisations, and IoT is making that challenge more difficult than before. This is not just to do with the huge volumes of devices, and the data they are generation, but also to the products being brought to market.
Even the big companies bring smart home products out to market without properly considering security and subsequently the security community often finds holes in these products quite quickly. Some of these holes are quite basic flaws, for example, default passwords, particularly on routers, which is very easy for someone to compromise. Software vulnerabilities can be easy for hackers to exploit, while often IoT devices lack end-to-end encryption.
For many companies, security remains a bolt on rather than a key consideration. As a consumer you must do as much research to make sure you aren’t making yourself a target.
There is an inescapable fact that smart products can get hacked no matter how secure they are; it’s more about how you go about being as prepared as possible.
It’s been proven that you can hack a thermostat but it’s an extremely laborious process just to change the temperature in someone else’s house. To break into a thermostat you must first hack into the products software, put malware onto it and then sell the thermostat back to a customer second-hand.
Being able to push software updates onto your IoT device is key to fixing security issues. The bigger question is whether you should force these updates onto devices or give customers the choice.
Another security consideration smart home companies should factor in is whether to make a username and password the customer’s sole point of access to their account. This allows anyone with a customer’s details to access their thermostat, and that’s why a two-factor authentication should be a key step in the security process.
Ultimately the responsibility falls more on the company than on the customer to make smart home devices secure. Customers are the weakest link and you can’t rely on them to be aware of security. The customer expects a company to make their systems secure; so a customer never uses a product wrongly; the company just designs a smart home device wrong.
You can follow Christiana Courtright, community manager at IoTUK, on Twitter @IoTUKNews.