The smart home (or ‘connected home’), describes how the as-built home environment becomes equipped with modern automation systems to provide a practical way of controlling electronic devices for the consumer. In recent years, a range of smart home devices has emerged, which are connected to the Internet of Things. Does this connectivity present a cybersecurity risk?
According to Alex Vaystikh, smarter devices become, the riskier they become. The consultant argues that regulation and reliability are needed. Alex is co-founder and CTO of SecBI, which uses machine learning for automated detection and investigation. Alex Vaystikh explains more to Digital Journal.
Digital Journal: How widespread is the Internet of Things becoming for home devices?
Alex Vaystikh: Extremely. Just as an example, I have at home a security camera from Nest (turned into a Nanny Cam) that is always connected via WiFi, two “smart” light bulbs synced up with the camera to light up at proper times that are also connected to the WiFi (as well as a couple of services that enable the camera and light bulbs to communicate), and a “smart” dishwasher that is connected to my network for no apparent reason — it still is unable to pick up the dirty dishes itself or put them back in place no matter how much I try.
The point is that these things are fairly trivial, they are becoming more popular, and they are all connected to the network. Also, most of them are unmanaged and unmonitored, and will never be patched.
DJ: Is this expansion of the smart home necessary?
Vaystikh: No. But it is inevitable.
DJ: Are there similar risks for businesses?
Vaystikh: Absolutely! The same smart, WiFi-enabled dishwasher is in our office kitchen, and the Smart TV connected to our network has access to the file shares for easy presentation.
However, as a security company, we have carefully isolated these risks so that they cannot spread when (not if) they are exploited. Many companies are completely unaware of these risks.
DJ: Do connected devices pose a security risk?
Vaystikh: Yes. These devices are directly connected to the network, running outdated software on top of an operating system that does not allow proper management. Finding a vulnerability in them is easy, and once it’s found, it provides immediate access into the entire corporate network.
DJ: How easy are such devices to hack?
Vaystikh: Short answer: Very easy! A quick search will reveal how many Android devices have been compromised, and how many Smart TVs that also run Android have been turned into paperweights because a malicious app was installed on them. Only few months ago, a “Smart Aquarium” was used to exfiltrate 10 gigabytes from a very large casino.
DJ: Why would hackers engage in this activity?
Vaystikh: It’s extremely easy to find a vulnerability, and that vulnerability will survive for the whole lifecycle of the device, allowing access to any location that has that device.
DJ: What can be done to better protect devices?
Vaystikh: Monitoring, isolation, and pushing for regulation. SecBI, for example, provides visibility into what those devices are doing, helping their owners to ensure they are behaving properly and, when they aren’t, ensuring that they do not pose a risk.
DJ: Is there anything additional that consumers can do?
Vaystikh: Buy from highly reputable brands that are held liable for leaving devices unwatched.
DJ: Is regulation required?
Vaystikh: Absolutely! Many organizations such as Microsoft, Apple, and Google are pushing for better regulation. But this is very difficult because most manufacturers are either abroad, or small startups that do not prioritize security. On the bright side, all of these vendors, including Intel, are building cheap scaffolding of both hardware and software, on top of which makers can build their devices and possibly gain easy patching and management capabilities. This is a very, very long way ahead, but a journey starts with small steps and that’s good!
