One third of Australia’s connected homes are vulnerable to cyber-attack, writes Scheider Electric’s business development manager – digital buildings Mark Jeisman.
The global digital transformation is in full swing and bringing benefits to homes and business like never before. Recent research conducted by Telsyte and Schneider Electric suggests we’ll have around 37 connected smart home devices in the average Australian home by year 2022.
For all the ground-breaking benefits digitisation can bring, there is also a sinister side in the rapid increase of cyber-attacks. According to Cybersecurity Ventures it’s predicted that cybercrime will cost the world $6 trillion annually by 2021.
More frequent criminal activity in the form of cyber incursions can have far reaching consequences. The most significant attacks to date have targeted governments, infrastructure and high-profile global businesses, but attention is turning towards residential buildings where smart devices and home networking are growing exponentially.
This year digital security provider Avast revealed through a global and regional study of over 16 million home networks, that over a third (33.4%) of Australian
homes contain at least one connected smart device that is vulnerable to a cyber-attack. Avast consumer president Ondrej Vlcek says, “People use their smart TV to watch their favourite Netflix series or connect their baby monitor to their home network; however, often they don’t know how to maintain the security of their devices.”
It only takes one vulnerable connected device to compromise the security of the entire home network, giving bad actors a potential back door to access personal data or other connected devices. This could lead to significant financial, privacy or even physical damage.
In one of the most recent high-profile examples, a US-based internet domain name company was overrun by millions of requests originating from CCTV cameras, network video recorders and other connected smart home devices. The attacks, which were orchestrated by an outside perpetrator, resulted in the temporary denial of service for many users of Twitter, Spotify, Netflix, Amazon and other social media sites and online retailers. In another well documented breach straight from the Oceans 11 playbook, a Las Vegas Casino’s database was hacked via a connected fish tank thermostat at the venue.
The Avast study found that some equipment manufacturers particularly in the DIY product space neglected cybersecurity features, in the increasing pressure to deliver smart devices quickly and at an affordable price.
However, it was found that the home owner, or in some cases the installer of the smart devices, created the most vulnerability or weakness in not establishing appropriate high levels of security, whether through ignorance or complacency.
Over 50% of studied sites revealed weak credentials – citing a lack of strong password protection or only basic one step authentication in smart home devices during set up. The other area of exploitation was old software, firmware or lack of updates being performed on equipment. The device becoming exposed to threats without the most current security measures and patches.
So what devices are the most vulnerable?
Avast reports home printers and internet routers take the cake when it comes to weak security – 59% of people have either never logged into their router to change passwords or updated its firmware.
In the first instance, many people whom purchase a DIY smart home product are unable to successfully configure the device correctly or ensure that it has been set as securely as possible.
Security and passwords for our smart phones, tablets and computers stay top of mind because we are prompted to update regularly. Gaming consoles, CCTV systems, network storage drives, NVRs and media boxes that stream to our TVs are often forgotten. These devices are being installed without a secure approach, or a ‘she’ll be right’ attitude settles in after its set up and working.
Adding to this, alternate equipment wireless mesh standards such as Zigbee, Z-wave or Bluetooth individually require a secure approach suited specifically to that transmission type. Some devices feature no protection at all; however, at least on credible devices a layer of security based often around AES encryption might be available.
The role of DOIFM (do it for me)
The system integrator or IoT professional is now playing a key role in supporting a more confident and successful customer solution when it comes to ensuring a level of security and protection. IControl’s Smart Home Report survey of DIFM customers cites a confidence level of 97.4% that their home systems are secure. But for the industry professionals delivering this confidence, the increasing level of responsibility brings new moral, and perhaps downstream legal, dilemmas if due diligence is not undertaken.
The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that outlines cybersecurity measures that fall under five areas: identify, protect, detect, respond and recover. It is to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures and processes to cost-effectively reduce cyber risks”. The framework currently describes voluntary standards, but mandatory cybersecurity standards may be something considered in the near future as we contemplate the onus of responsibility.
Should industry professionals weigh up the cost of compliance and best cyber security practices against pressure to deliver solutions at a cheaper cost?
Do we as industry professionals require a level of education/declaration back to customers regarding potentially flawed and vulnerable devices, and will it come to the point of a signed waiver?
What can we do for smart device protection?
The first thing to understand is that cyber security is the responsibility of everyone, from the manufacturer to the IoT professional and the owner/user.
One of the manufacturers taking a very proactive approach to the importance of cyber security in production and policy is Schneider Electric, a global leader in the digital transformation of energy management and automation. Senior director of cybersecurity Gary Williams sums up the approach – “Being vigilant about cybersecurity is a journey not a destination – meaning that securing the device or software over its lifespan is constant, and though the risk can never be completely eliminated, it must be continually managed. It’s everyone’s business to do so.”
Don’t panic, just be vigilant. The below practical tips provide a general guide to the security of residential smart home devices.
- When purchasing a new smart device or designing a new solution, ask the question of your supplier or manufacturer – what is the cybersecurity policy or options.
- Consider managed service agreements and include cyber security updates as a part of this.
- Set updates to auto, and make sure the firmware is current in the first instance.
- Smart speakers generally have a voice match feature, preventing other people from accessing your information
- Choose a reputable company for smart home tech supply and manufacturer.
- Consider a VLAN or separate network for smart devices in the home.
- Enable encryption if available on the device.
- Security gateways offer an elevated level of options.
- Add VPNs where remote access is required.
- There are aftermarket solutions, that can add a layer of protection if need be however these maybe more expensive than the device.
- Simple steps like setting strong, longer unique passwords using combinations of upper, lower case, special characters and numbers, paraphrases.
- Set all passwords required in the device uniquely to the one used before and change default user names.
- If available, register multi-step authentication.
- Continually, update old firmware, software, patches and check the product is still being supported.
- Regularly back up data.
If in doubt seek specialist advice or an IT professional that can support any concerns you have.