It's called lateral privilege escalation – and it's the next big thing for hackers
When we talk security – and we mean the cyber security of our homes – most of us envision Bond film level hackers in dark rooms, expertly exploiting our cameras, alarms, and door locks.
But as smart devices become enmeshed in digital ecosystems – Nest, Google Assistant and Alexa to name but a few – even one weak link can leave all devices open for attack. And new research shows it’s our smart lightbulbs and connected coffee makers that could be leaving our homes at risk.
Big verdict: Philips Hue review
A team of computer scientists from the College of William & Mary tested the security of several smart home products currently on the market, and found significant vulnerabilities that may mean tech companies need to rethink the way their devices interact.
The team looked at an attack called “lateral privilege escalation”, which compromises a low-stakes device or app to gain access to a high-stakes device like a security camera. The results reveal flaws, not necessarily in the devices themselves, but in the architecture of platforms that serve as the central hub of the smart home.
And while all too often these vulnerabilities are found on no-name devices owned by a handful of people, the research team found issues that require improvement in both Philips Hue and Nest products during their evaluation.
“It’s a software problem that spills into the physical environment, and it isn’t something you can immediately fix,” said study author Adwait Nadkarni, assistant professor of computer science at William & Mary. “If you don’t secure these low-security devices, even indirect communication between these two devices can put your smart home at risk.”
Nadkarni and his colleagues used a simulated smart home setup where they connected multiple devices to a smart home platform, and saw how far the attacks could go. With over 20 billion smart home products projected to be in use by 2020, their work has far-reaching implications for users’ physical safety. The study has been accepted to the Association for Computing Machinery (ACM) Conference on Data and Application Security and Privacy and will be presented in March 2019.
Infiltrating your routines
Home automation is driven by the implementation of routines, which are sequences of app and device actions that are executed upon one or more triggers. For instance, when you turn on the alarm system before leaving the house, you can program your smart thermostat to automatically turn off to save electricity. Smart home platforms such as Google’s Works with Nest, Samsung SmartThings, and Philips Hue keep track of all connected devices and their states via variables in a centralised data store.
“A presence sensor will indicate whether a user is at home and adjust that variable in the centralised data store accordingly,” said Nadkarni. “Then the rest of the devices will react any way you want them to when you are at home – the lights turn on, thermostat turns up, etc – but in some cases, these variables can be exploited.”
As an example, hackers could compromise a low-security device like your lights, which happen to have access to the presence variable. If they change its state to falsely tell the platform that you are home when you’re really miles away on holiday, the attackers could alter the actions of high-security devices like cameras and door locks.
The researchers found that routines supported by Nest allow low-security devices and apps to indirectly modify the state of high-security devices by modifying the shared variables they both rely on. They were able to perform a lateral privilege escalation by compromising the Kasa app, indirectly changing the state of a variable, which turned off the Nest security camera.
“If things continue as they are, the number of security problems will increase exponentially as people add more devices to their smart homes,” said study author Denys Poshyvanyk, associate professor of computer science at William & Mary. “However, if some systematic efforts are made to redesign these platforms with security in mind, these attacks can be prevented – but it would require the adoption of some common standards by these companies.”
Several of the companies mentioned in the study, including Google and Philips, have confirmed to Nadkarni and Poshyvanyk that their engineers are looking into these security issues. Joshua Meyer, an associate security analyst at consulting firm Independent Security Evaluators, who was not involved in the study, believes that manufacturers must consider security from the earliest design stages of a product or platform. But he also acknowledges that third-party apps can introduce unexpected security risks to the network.
“Each application or device that they do not control can introduce security risks to the network. The smart home realm is problematic in this regard as multiple devices from multiple manufacturers are expected to function cooperatively,” said Meyer.
“Smart home platforms must anticipate the inherent insecurity of some devices and provide strong security controls for the other devices on a network.”
Of course, tech companies are fighting on all fronts to secure smart home devices. While illegal access of devices is one matter, the enslavement of devices as part of botnets is quite another – and a well documented threat for the coming years. It shows that as Mayer concluded, it’s crucial that those in charge of the ecoystems running in our homes are as focused on the security as they are on new features.