November kicks off the season of giving, and many households may be turning to smart home devices to increase their security. Often advertised during the holidays, smart security gadgets — like doorbells with cameras, Wi-Fi-enabled door locks and motion-activated security cameras — are part of a boom market, which is expected to swell to nearly $16 billion globally within the next four years.
But the latest research shows these smart devices aren’t always as secure as you think.
In a recent study from North Carolina State University, researchers reviewed 24 popular smart home gadgets, finding that the majority contained critical design flaws. The brands reviewed included Belkin, SmartThings and Wyze. We’ve reached out to the companies who manufacture these devices for their reactions to this study, but none have responded. We’ll update this story if we receive responses.
“Twenty-two of the 24 devices had one type of problem or another,” said William Enck, a computer scientist at North Carolina State University who led the study. “That speaks to this being not just a vulnerability here or there, but a design flaw that smart home manufacturers really need to be paying attention to.”
They found these devices can leak user information and put homeowners at risk of cyberattacks and break-ins. These flaws allowed for a cyberattack, staged by the researchers, to disrupt the flow of information and disable the smart devices, all without the user’s knowledge.
Of particular worry to Enck is that domestic abusers could also capitalize on these vulnerabilities. He said domestic abusers are more likely to be cyber culprits because they often already have access to a home router and, therefore, can upload malware to block security signals to smart home devices.
Other scientists have revealed that a cyber attacker could potentially glean user data from smart devices to profile the victim’s activities, even if the data is encrypted. These glitches could allow hackers to monitor users and create a personalized attack plan for the ideal robbery.
Here are the vulnerabilities they found:
Hackers can siphon information from the air
Even if the data is protected through encryption, which translates data into a hidden code that can only be read with a secret key, an attacker could gain access to sensitive information from smart home devices simply by being in the area. Researchers from Florida International University found that a hacker inside or near a house can passively pick up signals about the state and actions of smart home devices.
Moreover, two separate studies of malware epidemiology suggest a large number of WiFi routers in urban areas are vulnerable to cyberattacks. A 2017 study predicts 34 percent of routers in Washington D.C. are open to malware attacks, while an older study from 2009 found 10 to 55 percent of these devices in Chicago, Boston, New York City, San Francisco Bay Area, Seattle, and Northern and Southern Indiana can be accessed.
“All of these devices utilize wireless communication protocols like Wi-Fi, Bluetooth, Zigbee,” said Selcuk Uluagac, a computer figurative researcher at Florida International University, who did not participate in Enck’s study. “These are all over-the-air communication methods, so anyone can passively listen, collect information and analyze it.”
In addition to determining what types of devices are being used, whether that’s a smart doorbell or coffee maker, hackers can use this information to create a profile of how and when users are activating their devices. For example, you can track a smart lock to figure out when residents are at home or away.
“We show that it’s really relatively easy to understand the activities of people,” Uluagac said. “You can infer the activities inside a private home, and you can profile people’s lives.”
Smart home devices can be deactivated without notifying users
During a break in, smart home devices could be remotely disarmed, preventing them from functioning and capturing valuable information about the intruder. Here’s how.
Normally, smart home devices send continuous messages called heartbeats to report on their connectivity. These heartbeat signals relay that the device is online and working properly.
When a person breaks into a home with smart security devices, say a motion sensor picks up a movement or a smart door is unlocked, it triggers what’s known as a telemetry event. This alert, which is independent of the heartbeats, tells the owner something has gone wrong.
Enck’s research shows that hackers can upload malware that allows heartbeat signals to pass through, but blocks these security alerts. The user wouldn’t receive a notification, believing that the device is still online and properly functioning.
“Sending these heartbeat messages is different from the way that it sends the notification of a motion or that the state of a lock, for example, has changed,” Enck said. “We’re able to suppress the event occurrence, but allow those heartbeats to go through.”
Additionally, a smart door lock could be disconnected from the Wi-Fi, and even if the owner realized the door was unlocked, they wouldn’t be able to lock it remotely without a connection.
“These smart home security devices make the assumption that they always have Internet connection,” Enck said. “But that assumption can fail, and information may be lost.”
These security lapses could mean that a hacker would be able to prevent cameras from recording any video evidence that could be useful for a later trial.
“You would not be able to get proper sequence of the events and valuable forensic information that you would otherwise be able to get,” Uluagac said.
This research isn’t the first sign that smart home devices have left owners at risk. Back in 2017, researchers found that Amazon Key, an Amazon device that lets delivery workers remotely unlock your front door when your package arrives, could be temporarily knocked offline, disabling the camera to your front door. Someone could then slip in, undetected.
How smart security devices can improve
Enck and Uluagac were both optimistic about the future of smart home devices, but they cautioned consumers to be aware of the products’ downsides and to look out for future updates.
Smart devices are “monitoring what’s going on, informing the user. But that’s not going to stop a burglary,” Enck said.
Enck sent his findings to manufacturers in hopes that they would solve the devices’ design problems. He suggested linking the devices’ heartbeat signals to telemetry events, so the user would be notified if the device appeared online but was missing state changes.