IoT Home (in)Security: the hack I fear is coming
The lack of security in the Internet of Things is increasingly discussed. In May, Wired wrote an article about how Samsung’s Smart Home let hackers unlock doors, etc. This is a major problem but is only the start.
What happens when one smart home device, supplier, or component becomes ubiquitous?
Back in August 2015, I wrote the following on Reddit.
Online and on television we see advertisements for Internet-enabled home security. Recently, ActiveRain had an article listing several {iSmart Alarm, Presence, August Smart Lock, Goji}. We can benefit from the convenience they provide and can feel safer since we have more control and visibility.
But what will happen when these systems get hacked? Customers everywhere would be open to substantial physical loss from targeted attacks.
Imagine this scenario.
- A hacker gets access to customer addresses as well as camera and/or locks.
- Said hacker sells the location information to local criminals, valuing the targets based upon zip code or Zestimate
- The neerdowellers remotely case the house to see its contents and when it is unoccupied, pull up a moving truck, remotely unlock the doors, and “make out like a bandit”.
What liability will the compromised IoT home security company have? What will the burden of proof be for the burgled homeowner have to prove that their IoT home security system was the cause of their loss.
The questions came to me recently when a very large Internet-enabled home security company (not listed here) solicited me to purchase their service. Looking at their login page, I asked the aforementioned questions as well as several others (e.g. Why do you only support IE? Why is login done via QuickTime? Why is there so much debug code and informational comments in your HTML & JavaScript? As well as a few OWASP Top 10 basics.)
The size of the breach could be enormous.
The legal battles regarding culpability could take years to resolve.
What oversights can one put into place to protect their premises?
