“Security” is the proverbial dead horse we all love to beat when it comes to technology. This is of course not unfair – we live in a technological society built with a “security last” mindset. There’s always one reason or another for this: companies need to fail fast and will address security once a product is viable, end users will have a harder time setting up and using if systems are secure or encrypted, and governments/law enforcement don’t want criminals hiding behind heavily secured systems.
That’s an argument I don’t want to get into. For this discussion, let’s all agree on this starting point for the conversation: any system that runs something of value needs some kind of security, and the question is how much security makes sense? As the title suggests, the technology du jour is home automation. When you manage to connect your thermostat to your door locks, lights, window shades, refrigerator, and toilet, what type of security should be part of the plan?
Join me after the break for a review of several home automation security issues. This article is the third in our series — the first to be asked What is home automation and the second discussed Software interruptions we face.
They are all inspired by the Hackaday Prize Automation Challenge. Document your own automation project by Monday morning to enter. Twenty projects will win $1,000 each, becoming finalists for a chance at the grand prize of $150,000. We’re also giving away Hackaday t-shirts to people who leave comments that help keep this discussion going, so let us know what you think below.
I am the Keymaster. Are you the Keeper?
Worldwide security is what comes to most people’s minds when they talk about technology. Is there a risk of someone opening your garage door, turning off your furnace, or watching a video of your baby? I feel this is a solved problem: every home should have a properly secured router for its LAN — the same goes for home automation. Must be a walled garden.
If you’re with me on that thought, it becomes a standards issue. WiFi devices work with different hardware and around the world, offering reliable connections and robust security. On the same subject : 30×30 Initiative Works to Increase the Number of Women in Law Enforcement. But as we heard in many of the comments on the last article, WiFi isn’t really ideal for home automation, so other protocols like Bluetooth and Z-Wave have been used.
Software defined radio has become affordable and easy – you’d think we could come up with a spec that adds a home automation router between your walled garden and your internet router that uses SDR to talk to all the devices. But who will do the job (IEEE was declared defunct last time) and what will drive industry adoption? Does anyone know how the WiFi came to be on and what happened to the competitors who didn’t?
Does your bulb need encryption?
There’s nothing quite like a simple light bulb to highlight how sticky this topic is. Elliott Williams and I have been debating the ons and offs of home automation security for a few months now and keep coming back to the same question. Read also : The Digital Radio Era (Partially) Ends In Ireland. If your system is protected from the wider internet, should every device be encrypted?
First, WiFi and Z-Wave already have encryption built into the specification. If you’re using a Flux smart light bulb, your neighbors won’t be sniffing your packets without that horribly complicated WPA2 password you’re using. But does this bulb really need to be encrypted? What if your light bulb is on 433Mhz and only listens for on and off commands from the hub. How secure should this be?
I am of the opinion that critical automation tasks should never be able to be triggered remotely. For example, you should be able to turn off your stove remotely, but not turn it on. You should be able to remotely set your furnace to a reasonable temperature or vacation mode, but not turn it off. It’s fine for your house to be 50F in the winter and 85F in the summer, but you shouldn’t be able to close if you’re out so the pipes freeze or pets die. What protection do we need from someone parked at the curb turning your lights on or off?
The weakest link
The last concern I would like to hear from you is the weakest link issue. On the same subject : New Year Honours 2021: The full list. If we build our walled garden to protect our devices from the big bad internet, are we opening up a local attack vector for our entire system? Can you sit at the curb, tamper with my light bulb, and access sensitive documents on my server thanks to home automation devices that are trusted on the LAN?
We want to hear from you. What is a reasonable level of security to aim for as we build home automation on every block and boulevard. What did I miss above and how do we plan for the unexpected?
Comments are closed.