What security and privacy threats should condo communities watch out for due to the rise of internet-connected smart home devices?
Smart environments have been around for several decades. Technology used to control microwaves, fridges and lights, has been emerging and proliferating since the ’90s. I remember then being able to hack a microwave using a software development platform called micro-java. Yes, I was successful and was very proud of my accomplishment. My name flashed on the screen whenever the timer ended.
What is a smart environment?
A smart environment is a location (house, office, condo) in which technology is implemented into the building’s structures to provide automation, monitoring and convenience. The technology can include mechanisms that monitor and control HVAC, security, temperature, fire suppression systems, lighting, window treatment, appliances and personal assistants.
From a security perspective, let’s break down a smart environment into two blocks – buildings and residents. Each block has their own technology, expectations, complexities, privacy concerns and connectivity practices.
Residents are concerned primarily with appliances, personal assistants and personally operated technology that operates from their personal WIFI and network access. In most circumstances, network connectivity is separate from that of the building. Tenant systems frequently have greater access to personal information, including access to computer systems and printers that are part of the home network.
Buildings are concerned with large scale systems, including access control, environmental systems, security and employee management. The systems are frequently larger, more expensive and updated less frequently than tenant-based systems, thus decreasing the potential for security concerns to be addressed in a timely fashion. Building systems are frequently considered more accessible by the professional criminal due to their age and lack of security measures.
Four preventive measures
The type of threats and common problems associated with smart environments have not changed throughout the years. What has changed is the degree of awareness in owners and the proliferation of the technology, both which lead to a greater opportunity for attack. Unfortunately, as we see an increase in smart technology use, the fundamental practices associated with smart technology security have not changed or improved. Consider the following:
Close the points of access: Points of access include network access ports (the holes in the wall for network cables) as well as wireless access points. Professional criminals will survey a building for different ways in which they can physically access a technology structure. The greater the number of access points, the greater the opportunity of success. Buildings and residents should provide WIFI access to authorized individuals only, with guest access being restricted to the Internet. In addition, buildings should be aware of what access ports are in use, disconnecting any that are not operational and physically reviewing ports on a frequent basis for unauthorized devices. These devices can be as small as a USB key.
Update your technology: Smart technology has a lot of moving parts, even within some of the smaller bundles. It is important that every component of that technology bundle be updated consistently and replaced prior to being categorized as “end of life.” Unpatched and unsupported technology are two of the most common problems in smart environments and a leading cause of exploitation. For example, an HVAC system running Windows 7 can be exploited to permanently disable environmental controls, change settings or gain access to other systems. This is done by taking advantage of a vulnerability in an unpatched HVAC system or the associated operating system.
Organize your technology into segments: Segmentation is a term in security, which essentially means to break into small groups. Think of it as disease control. By creating small, isolated groups we reduce the risk of one group being affected by the problems of another group. For example, if your HVAC system is affected by a hacker, the hacker does not have the ability to exploit the security or lighting system.
Segmentation occurs through network controls such as firewalls and routers and creates boundaries around technology addresses, creating closed communities. While operational teams can still access each technology, the technologies themselves are organized so they are unaware of each other, or access is permitted through small and well-controlled access points.
Buildings can create large groupings such as environmental, security, elevators or smaller groupings such as HVAC, lighting, fire suppression systems, elevator, door systems, camera systems, etc. Residents, at a minimum, should segment their computers for home and work from other technology.
Add a firewall: Firewalls are the foundation to security. They are the digital walls that protect your castle and reduce the opportunity for an attack to be successful. Firewalls are established to limit what services are available, where they can be accessed from and even who can access it. In addition, firewalls allow you to review and address potential attempts to gain access to different parts of your environment.
Be sensible. Not paranoid
It’s hard to avoid smart home technologies. Technology that monitors and alerts us is part of everything from microwaves and dishwashers to air conditioning units, TVs and cameras. We can see who is at our front door through our phone and get alerts when the dryer turns off. What is important is to be sensible versus paranoid.
Know what is connected in your environment. Keep your environment updated and invest in a little bit of time to protect your home from outside threats.
Bryan Zarnett is managing director of security consulting at Cytelligence, a leading international cyber security boutique based in Toronto. Bryan has been a passionate and active member of the IT community since the late 1980s offering thought-leadership, coaching and consulting in the areas of computer security, software architecture, design and development in addition to methodology implementation. Bryan has worked in a variety of industries including law enforcement, financial, manufacturing and legal. firstname.lastname@example.org