UPDATE, 3-28-2019: The William & Mary paper was awarded Best Paper at the 9th Conference on Data and Application Security and Privacy. CODASPY is a conference dedicated to security and privacy issues related to Internet and smart phone use.
The best-paper selection process involved another separate round of peer review. The awards committee shortlisted five top papers out of the accepted papers, and then each committee member individually reviewed and rated each paper selected paper. The W&M paper was rated number one among the top five papers.
The burglary starts in the most mundane way possible. The thermostat turns up one degree. A light flickers on and off. The lawn sprinkler starts up for a split second and shuts back down.
If it were a scene in a thriller, it would be the most boring break-in sequence of all time, but those dull deeds could be the future of home invasion, according to a new report by William & Mary computer scientists.
“You don’t think of your light switch and go ‘Oh, this is a security-sensitive device,’” said Adwait Nadkarni, assistant professor of computer science at William & Mary, and primary investigator and co-author of a recent study on smart home security systems. “Millions of dollars have been put into devices like security cameras and door locks to make them impenetrable, but people haven’t paid the same attention to low-integrity devices such as light switches.
“Logically speaking, there shouldn’t be a way for a message to go from a light switch to a security camera, even indirectly. However, that’s not always the case, which is the crux of the issue we have here.”
Internet-connected computing objects collectively known as smart home products have become increasingly popular with consumers over the past several years. Over 20 billion smart home products are projected to be in use by 2020, says Denys Poshyvanyk, associate professor of computer science at William & Mary, co-PI and co-author of the recently published study.
Their paper, titled “A Study of Data Store-based Home Automation,” has been accepted to the ACM Conference on Data and Application Security and Privacy (CODASPY) and will be presented in Dallas in March. Other co-authors on the paper include William & Mary C.S. Ph.D. students Kaushal Kafle and Sunil Manandhar, as well as C.S. post-doctoral fellow Kevin Moran.
Over the summer, the team of researchers tested the security of a number of smart home products and found many significant vulnerabilities. Some vulnerabilities were serious enough, Poshyvanyk said, they may require smart home platforms, such as Google’s NEST, to rethink the way devices interact in the home.
The researchers are working with platform vendors like Google NEST and Philips Hue, as well as app developers and manufacturers like TP Link, to harden the platforms and increase safety for consumers.
That’s no easy task. There is such a wide array of smart home products and platforms, it’s nearly impossible to secure every aspect of every device, Poshyvanyk explained. The range runs from small devices with embedded computers, such as smart locks and light bulbs, to full-size appliances like refrigerators and HVAC systems.
“While the convenience is beneficial, security flaws in the platforms or integrated third-party products can have serious consequences for the integrity of a user’s physical environment,” the researchers write in their report.
An attack on a smart home is not like other attacks in the digital environment, the researchers explain. It affects people’s physical safety. Smart home systems provide a bridge between the digital and physical worlds, which is convenient for automation, but risky for security.
“One of the key things that attracted us to this topic is that you’re not only worried about the more traditional privacy and integrity-related attacks,” Nadkarni said. “You’re worried about the users’ physical safety.”
Nadkarni, Poshyvanyk and their graduate students evaluated the security of two popular smart home platforms, Google’s NEST and the Phillips Hue. Both systems, as well as many other smart home platforms, operate using a centralized data store. The data store serves as a kind of switchboard, which apps and devices use to communicate with each other over the internet.
For example, let’s say you want to change the temperature of your thermostat. You pull up your smart home app on your mobile phone and tell it to turn up the heat. The app will then write a change to the target temperature variable in the centralized data store. The thermostat device will subsequently receive an update from the data store and change its temperature accordingly. The system works because apps and devices are able to communicate by reading from or writing to variables in the centralized data store.
The problem, Nadkarni and Poshyvanyk explained, is that a data store-based system provides hackers the ability to access all devices in the home, from light switches to security alarms. An adversary can compromise one low-integrity product, like a sprinkler or a third-party lighting app, and modify a data store variable that another high-integrity product, such as a security alarm, depends on. This can have a whole host of unwanted consequences.
“What we often find in these types of evaluations is there isn’t one easy solution,” Nadkarni said. “The challenge comes in having to look at the environment as a whole, when there isn’t exactly one main problem or flaw. What you see here with smart homes is a systemic failure, many different bits and pieces coming together to create these flaws.”
For example, an adversary may compromise a light switch app and modify a variable that makes the security camera turn off when a burglary is in process. Such an attack is called a lateral privilege escalation, where one uses a low-integrity device to compromise any high-integrity devices that connect to the same smart home.
“There is so much you can do as a hacker in the context of this system,” Poshyvanyk said. “It’s a design issue, which means the system basically needs to be redesigned for it to be fully protected. For software developers, this centralized data store solution is very easy to implement, so that could be one of the reasons why it was part of the original design. It’s a very straight forward, simple implementation, but we can see that it’s ineffective from a security point of view.”
The researchers identified ways an acquaintance can burglarize a smart home-enabled house with without being detected. The burglar only needs access to the same public internet network (like connecting to the same Starbucks wifi) as the homeowner to temporarily disable the smart home’s security system.
Poshyvanyk and Nadkarni successfully executed such an attack using a NEST smart home system set up in their IoT lab. They changed the system’s settings to indicate the owner was home when they were not, therein disabling the security camera. The researchers quickly alerted smart home companies to the vulnerability. TP Link’s Kasa switch, which was a stepping stone in performing the attack, has since been updated, preventing that specific instance of attack described in the study.
Poshyvanyk says these kinds of vulnerabilities come with the territory. He places blame on the industry as a whole, not any individual company. Tech companies today are all in a race to be first to release a new product -- and that often comes at a price.
“I’m afraid market pressure is the driving force here,” he said. “The problem is manufacturers race to release these systems without having a good understanding of how they will be used in the wild. Users do things the companies did not expect them to do, because that’s how users are. It’s kind of a chicken and egg problem. You don’t know until it’s too late.”