They’re attacking the brain of your smart home (or office)

It can happen automatically.

A smart device that turns all your lights off when you leave or checks to see if you left any doors or windows unlocked.

So convenient!

But adding and connecting more smart things to your house can cause new and unexpected problems — and let the bad guys in.

Watch here:

Super-Convenience

A smart home can get to know you pretty well.

A cooker that starts roasting your chicken an hour before dinnertime.

Lights that turn on when it gets dark outside.

An alarm system that turns off when it detects your phone at the house — meaning, you’re at home.

Even a self-cleaning toilet that scrubs itself every Saturday at 9 am!

But this super-convenience may come at a price.

We keep adding new devices, but we might not be paying enough attention to security and how the devices connect.

“As you get more and more of these devices, it becomes a complex environment. And they work together in ways that people could exploit or could cause you problems,” said Greg Young, vice president of cybersecurity for security company Trend Micro.

Chicken Attack

But what’s the risk?

Surely the bad guys don’t care about your home appliances.

What who they want — to overcook your chicken?

“If somebody really hates chicken, that could be one of them,” joked Young in an interview with Archer News.

“It’s not just turning on your coffee pot or roasting your chicken too long,” he explained. “There’s a lot of data that you’re handling in there now that becomes sensitive.”

That includes your bank account numbers, credit cards, tax info, passwords and sensitive work data.

But that’s not all.

“There’s this sort of central brain thing that controls all these devices as they get more complex,” Young said. “Those now are a great place to attack. So, why should I bother going to attack individual things if I can get the brain of the house? I can then own the house and I can do things.”

Brain Power

Attack the brain, and you can change the rules that run the house.

For example, locking up your house.

You can set your doors to unlock when your phone comes in close range, not unlike keyless entry systems for cars.

But researchers with Trend Micro tried an experiment.

They hacked into the brain of a house and changed the door rule.

Now, the house will unlock its door when the security camera sees motion in the back yard.

The attacker can simply walk up, open the door and go right in.

“When we’re designing and building our smart homes, you need to make sure this never happens,” said Trend Micro researcher Numaan Huq in a presentation at the 2019 RSA conference in San Francisco.

“You make these rules and they work and you’re happy that they work,” said fellow researcher Stephen Hilt. “You don’t really go back and revisit them.”

“Alexa, Unlock”

In another experiment, the researchers visited a colleague’s smart house in Germany.

If someone breaks into the house, the alarm will sound and the blinds will go up, so everyone can see what the bad guy’s doing inside.

The owner turns on the alarm by voice command when he leaves.

But the researchers found a way to trick the voice assistant into telling the smart home to turn off the alarm.

“This is a home assistant and there is a text-to-speech option,” Hilt said. “You can type whatever you want in there and it will make the speaker say that.”

“I didn’t actually need to be in the house to do this, if the system is exposed in a way I could get to it,” said Huq.

The owner may be out thinking his home is buttoned up tight.

But it’s really wide open for business — of the worst kind.

Smart Home Security

What can we do?

Pay attention to your security at home. Many people don’t!

Start with your router.

—Change the default username and password that comes on your router — and on every smart device in the house.

—Choose WPA3 on your router to encrypt or protect your communications.

—Use strong passwords — and different ones for every device. Store them in a password manager so you don’t have to remember them all.

—Check the rules you set up for your smart home to see if anyone’s changed them.

—Shop for smart devices that mention security instead of just automatically buying the cheapest device you can online.

Learn More

Trend Micro has more advice in their report.

You can also learn more from Symantec’s “12 tips to help secure your smart home and IoT devices” and “How to Secure Your (Easily Hackable) Smart Home” from Tom’s Guide.

Not Just At Home

Attackers can do this same sort of thing to businesses and smart buildings on a larger scale.

“Our labs were homes,” said Hilt. “But the same stuff is being used in corporations, garages, industrial settings.”

Researchers with McAfee recently announced that they had found a zero-day flaw in a building management system that controls things like heating and air conditioning.

Forescout researchers said they found security holes in building automation systems, many in schools and hospitals.

Cyber attackers hit the environmental control systems in two apartment buildings in Finland in the winter of 2016, shutting down the heat and hot water.

“The more we automate it, the more we introduce some issues,” Huq said. “Today’s society is adopting connected technologies at a faster rate than we can secure them.”

“It’s a complexity issue. The systems are becoming more and more complex. The way we’re approaching it may need to change a little bit,” said Hilt.

Main image: Simulated attack on locked door of smart home. Image: Trend Micro Research