Smart home security devices are designed for a more secure household with more convenience, and indeed, in many ways, they have achieved those purposes. A high-end smart lock device such as Kevo is physically unpenetrable, and smart security cameras can automate your garage door and even integrate with other smart lock systems.
Physically, they are virtually unpenetrable, but how about vulnerability to digital attacks? Remember the latest iteration of Die Hard movie back in 2007 where a hacker attack render the whole nation in chaos? That fantasy can indeed be a real threat today in the Internet of Things era.
The Case of Samsung SmartThings
Back in early-mid 2016, several tech news sites and Wired magazines reported the security flaws surrounding the Samsung SmartThings, one of the most renowned smart home security controllers out there.
What does it mean to us and why is it important? Because it simply proofs that even the biggest smart home systems can be vulnerable. Thankfully, the hacking was not done by a criminal, but rather by a group of researchers at the University of Michigan. The flaw they discovered was also significant and will allow hackers to create their own e-keys to open smart locks. Another flaw allows an attacker to control connected devices, which can, in turn, allow them to steal password or PIN to open door locks.
The flaws were mainly related to how the SmartThings integrate with third-party apps, that can implement OAuth authorization protocol. In turn, attackers can steal user’s login tokens when the said user tried to log in. With those tokens, attackers can even create their own PIN and e-keys to open smart lock systems.
Samsung SmartThings also has a significant control over the user’s smartphone, which in turn allows the hacker to sneak an app to the smartphone, able to do various security hacks.
The issues were since fixed by Samsung, especially by limiting developers’ privileges to implement OAuth, and now developers will need a source code review. Samsung also implements a few updates to the platform to prevent future vulnerabilities.
Yet, Samsung SmartThings wasn’t the only one with vulnerabilities. Last December, researchers also reported flaws in ZigBee protocol, one of the most used protocols for smart home devices. The flaw allows attackers to jam the ZigBee network, effectively rendering the connected devices useless. Considering most smart security cameras and alarms are using ZigBee protocol, attacking this security flaw will stop your alarm from signaling break-ins, and your security cameras from sending alerts to your phone.
Is Your Smart Home Under Threats?
We should remember that Samsung SmartThings and ZigBee are merely just examples, and not only the ones with security flaws. Researchers simply chose Samsung SmartThings because it is the most widely used platform back then, and was more mature compared to newer products like Google Home, Nest, or Apple HomeKit.
Yes, Samsung has since addressed the issue, but as we can see, antiviruses do not stop computer viruses even until today, with the recent ransomware attack in May 2017. We can also see how computer software is constantly being pirated, even with all the updated security methods.
Bottom line? We should always be careful, and as long as smart home security is software-based, they will always be vulnerable to digital attack.
How Should We React?
So, how should we react after we learned this issue? Should we altogether avoid smart home hubs and smart home devices?
Remember when viruses were even more common for Windows computers in the late 90s and early 2000s, do they stop you from using your PC?
Smart home technologies, in our opinion, are the same, and they are definitely the future. One thing we should consider is to choose the right brand and product that will address they security flaws.
How should we determine the right product? No matter how secure the product is, there will always be exploits and flaws available for attackers. So, the right way to determine the right brand is to see how often they update the software. Generally, the brands that are more active on social media and frequently engaging their customers are faster in reacting to security flaws and issues.
Again, Samsung is a good example of this kind of thing. Remember how their smartphone product, Note 7, was called off because of the combustion accidents just last year? Although it was a terrible mistake on their end, they reacted really fast and took full responsibility.