How The Internet Of Things Is Making Our Homes Smarter (And Easier to Hack)

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.kpbs.org/news/2013/sep/11/how-internet-things-making-our-homes-smarter-and-e/

First it came to our computers. Then it was on our phones. Fast
forward to the present, and the Internet seems to be everywhere,
connecting everything to everything else.

These days, the Internet seems to be everywhere, connecting everything
to everything else. That can make our daily routines a lot easier, but
sometimes, it can also make it easier for hackers to invade our
privacy.

As more and more of our stuff gets tied into the web, our daily
routines are getting easier. However, all this interconnectedness can
also make it easier for hackers to invade our privacy, control our
devices and even get inside our homes.

We've dreamed of being able to remote-control all the stuff in our
homes for awhile now. Remember The Clapper? It was a plug-in sound
detector that promised users the luxury of being able to, "Turn on a
light as you enter the room!" or "Turn off the TV without getting up!"

The Clapper never fully caught on, though it got a lot of applause.

But in the past few years, the dream it embodied has quickly become a
reality. Now that almost anything can be connected to the Internet,
savvy homeowners can set up their lights, air conditioning and sundry
other appliances to be controlled remotely and centrally, often right
on their smartphones.

"I'm a geek. I like playing with things," said IT professional Joel
Griffin Dodd. He's about to move his family of three to a new house in
El Cajon and he's planning to outfit their home with all kinds of
smart technology. He's doing it for fun, but also tosave money.

"If I can reduce our home energy bills and make things a bit more
convenient, then great, let's give it a go," Dodd said, envisioning a
home that's intuitive, more user-friendly and smarter.

The trouble is, smarter doesn't always mean safer.

"More things are coming online, but people are understanding less and
less about the technology behind these devices," said John Matherly, a
San Diego programmer well aware of just how unsafe this emerging
"Internet of Things" can be.

While studying at Mesa College and later at UC San Diego, Matherly
spent his free time building a search engine called Shodan. It's not
your typical Google copycat. Google searches through all the websites
on the Internet to find the information you're looking for, but the
Internet isn't just a collection of websites. It's also a collection
of things.

These days, that includes things like thermostats, refrigerators,
light bulbs, garage doors, sprinklers, front door locks, baby
monitors, traffic lights, fancy Japanese toilets, construction
vehicles, glucose meters, TVs.

"Almost everything nowadays that you have in your house" can be
connected to the Internet, says Matherly. "Except for furniture."

That's what Shodan searches for: physical stuff. If it's connected to
the Internet, Shodan finds it, and it finds out how secure those
things are.

Shodan users have found some pretty shocking things. Perhaps the most
alarming discovery was the operating system for an entire
hydroelectric plant in France. If that had fallen into the wrong
hands, it could've been manipulated to crash the local power grid or
flood a small town.

"Shodan has been called the scariest search engine on the Internet,"
Matherly said with a hint of pride. "And I can understand why they
think that."

Lucky for us, Shodan is overseen by a good guy. Matherly uses it to
warn people about insecure devices, not to exploit them, but when
Matherly took me on a spin through Shodan, I must admit I was a little
freaked out.

"Let's say you want to find some home automation devices," he
proposed, pulling up Shodan and typing "Insteon" into the search bar.

I ask Matherly what Insteon does.

"Everything in your house, you can connect to the Insteon Hub," he
explains. "And the Insteon Hub lets you manage all of them."

It's basically the command and control center of a house. And Matherly
just located one in Oceanside, completely unprotected and publicly
accessible on the Internet. He clicks on it, never asked to enter a
username or password. Then, we see a screen full of buttons with
labels like "lights" and "garage door."

"Here you have sprinklers—back, side, front," he said. "You could turn
them on and off."

Wait. You mean you could?

"This is a live house," Matherly said, anticipating my question.

I go ahead and ask anyway. "Like, if you clicked 'on' right now, their
back sprinklers would turn on?"

"Yes," Matherly confirmed. "It's completely nuts. I never in my
wildest dreams imagined that when I created Shodan, I'd find people's
houses on the Internet. And you can control things."

So what does Matherly think should be done to keep homes like this secure?

"Insteon probably should do a better job communicating to the end
users that, 'Yes, this is cool, but make sure you do it in a safe
way.'"

But Joe Dada, CEO of Insteon, said, "We typically don't force our
users to any level of security."

Dada says it's mostly the older Insteon products that have security
issues. Newer Hubs require a username and password.

Either way, he said it's the customer's responsibility to keep their
own homes safe.

"You know, the Internet is a dangerous thing," Dada said. He uses
Insteon in his own homes. He even remotely turned the air conditioning
on before heading out to meet me at his Newport Beach home.

"We all need to be careful, whether it's what we're doing on our time
off and putting on Facebook, or if it's the password to your WiFi
network," he said.

One reason manufacturers often don't make their products as secure as
possible is because people like Joel Griffin Dodd, the home automation
enthusiast in El Cajon, don't ask for it. He said he's tech-literate
enough to know how to keep his home safe. Security just isn't a huge
selling point for him.

"It really isn't something that I lie awake at night worrying about,"
Dodd said. "There's always a risk, and hackers are definitely the risk
du jour."

Dada said that if consumers start demanding better security, Insteon
would happily give it to them.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

o()xxxx[{::::::::::::::::::::::::::::::::::::::::>
# InfoSec Builders, Breakers and Defenders - Time Square, New York City  18-21 November
# OWASP AppSecUSA 2013  -   http://www.appsecusa.org
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.