Security dealers increasingly are offering smart home devices such as smart lighting control, smart thermostats and smart door locks to their customers. By taking the right precautions, dealers can help ensure that those devices enhance the customer’s lifestyle without posing cyber security vulnerabilities.
While the focus of this article is specifically on cyber security for smart home equipment, it’s important to note that there also may be vulnerabilities related to the security system to which the smart home equipment may be connected — a topic addressed in the sidebar titled, “How Secure Are Wireless Security Devices?” on page 76.
Potential cybersecurity vulnerabilities related to smart home equipment fall into three main areas: wireless communications, passwords/user codes, and the security of the customer’s router/broadband modem.
Smart home devices such as smart door locks or smart thermostats may use Z-Wave, Zigbee or Wi-Fi wireless communications.
Ross Werner, chief architect for San Jose, Calif.-based security and smart home equipment manufacturer Qolsys Inc., explains the cyber security protections provided by each of these protocols. “Z-Wave devices fall into two categories: secure (access devices such as door locks) and non-secure (light switches, thermostats, etc.). Secure Z-Wave devices use 128-bit AES encryption; this is what financial institutions and governments use to protect sensitive data. It is built-in, always-enabled, not even possible to be disabled,” Werner explains.
Encryption helps prevent an unauthorized user from using a “sniffer” device to listen to communications in order to learn passwords or other sensitive information.
“Z-Wave also benefits from an explicit pairing process where the network controller has to sync with a new device and exchange security keys,” Werner continues. “The latest version of the Z-Wave [software development kit] is fully encrypted.”
Zigbee is a bit more complicated because each one of multiple vendors has implemented its own version of the networking stack. Overall, though, “if you look at Zigbee 3.0, with proper implementation, its security is comparable to Z-Wave; it also uses 128-bit AES and has a pairing process between devices to the network controller,” Werner says.
Ensuring Wi-Fi security “requires first enabling a robust security protocol and then strong passwords to keep the communication secure,” according to Werner.
Dave Mayne, vice president of product management for Hudson, Wis.-based manufacturer Alula, notes that most Wi-Fi smart home equipment has encryption as a default setting. A bigger concern, he says, is whether an unauthorized Z-Wave device might be able to connect to a Z-Wave network.
Devices used with Alula and some other smart home systems have a feature that requires the passing of secure software keys — which Mayne says could be thought of as device passwords — back and forth between the system and any device that wants to join the network.
According to Mayne, “not all manufacturers do that well.” Accordingly, he advises dealers to ask the manufacturer of any smart home equipment what that manufacturer does to make sure that only trusted devices can join the network.
As for encryption of wireless protocols, Mayne comments “You’re always playing a game — hackers try to break [encryption], you enhance it and the hackers try to break it again.”
Recognizing that, dealers will want to keep up with new developments in encryption technology and when appropriate, consider replacing or, if possible, upgrading existing devices so that they have the most current technology.
How Secure Are Wireless Security Devices?
Ironically, potentially the least secure portion of an integrated security and smart home system is not the smart home portion of the system, but rather the security portion.
According to Mike Hackett, senior vice president of sales and marketing for Qolsys, some of the proprietary protocols that manufacturers use between wireless sensors and the control panel are unencrypted.
Traditionally, this was not a major concern, he explains. “Ten years ago, it would take a really smart person with a really gigantic server” to “pull up to someone’s house,” listen in on communications between elements of the security system and determine how to gain entry to the system, Hackett observes.
In today’s world, however, he notes that “there’s a simple radio you can buy on eBay or Amazon” which, when combined with watching a video on YouTube, can give almost anyone the ability to crack into unencrypted security system communications.
Communication between individual elements of an alarm system can be fairly infrequent, but according to Hackett, a potential burglar could hide a sniffer device in a bush near a home targeted for a heist and return a week or so later to gain the necessary information.
Some security manufacturers — including Qolsys, Alula and others — are now encrypting wireless security system communications and some offer retrofit kits for existing systems that may lack encryption. Retrofit kits may enable security dealers to replace only the radio portion of the existing panel, Hackett explains. To minimize upgrade costs, dealers may consider only replacing particularly critical sensors such as wireless key fobs and door/window contacts, he notes.
Advising customers about options such as these could be an important task for security dealers, considering that a recent Parks Associate survey conducted for Qolsys found that 64 percent of professionally monitored security system owners believe their home security system uses encrypted communications from the sensors to the panel, even though the percentage likely is considerably lower.
“Proprietary protocols used in various security products have varied in the degree of protection they provided, from highly rigorous to much less so,” comments Brad Russell, Connected Home research director for Parks Associates.
User Codes & Passwords
According to Helen Heneveld, president of Holland, Mich.-based Bedrock Learning and author of SDM’s Smart Insights column, the most common vulnerabilities associated with home control systems relate to user codes and passwords. It’s critical for the default passwords on any home control devices that use passwords to be changed.
What malicious actors could do if they were to obtain the password to a home control device varies, depending on whether the device communicates with the security system, Heneveld explains, but one possibility is they might be able to unlock doors or windows.
Heneveld recommends that security dealers offer a password management service to their home control customers to keep track of client passwords and help ensure that those passwords are changed regularly. Homeowners see security dealers as trusted suppliers, Heneveld argues, and by offering password management, dealers not only gain a potential source of recurring monthly revenue (RMR), they also “reaffirm the trust” that customers have in them.
Some industry stakeholders have a bit different take, however. Noting that many systems are controlled via an app installed on the customer’s smartphone or through a computer, Nick English, national sales manager for Kwikset Corp., Lake Forest, Calif., recommends that the installer show the customer how to change the password using the app but should avoid knowing the password, instead turning responsibility over to the customer to enter the password into the system.
Using an app that requires customers to use a longer-length password that includes a combination of special characters and upper- and lower-case letters or advising customers to use such a password also can enhance cyber security.
English offers other advice for what security dealers should tell customers when turning a newly installed smart home system over to the customer. He notes, for example, that Kwikset smart door locks can support as many as 30 user codes, but he advises dealers to discourage customers from assigning more of them than they need. He also encourages dealers to inform customers that they can limit the hours during which an individual user can access the system.
“If you have a dog walker and you give them their own user access code, maybe you only make it available during certain times and not on weekends,” English suggests.
The Role of the Router
Some smart home cyber security vulnerabilities originate in a device that typically is not under the security dealer’s control — the broadband modem/router from the cable or phone company or other Internet provider.
“Right now, I think that’s kind of a hands-off area,” comments Mayne, who notes that security dealers don’t want to be accused of changing something on the router that causes some type of problem for the customer.
Nevertheless, routers could have cyber security vulnerabilities if certain software is out of date, if default passwords haven’t been changed, or for other reasons. One important potential vulnerability is if software ports on the router have been left open, which also leaves open the possibility that a malicious actor might gain entry to the network through an open port.
“If they can get to the router, maybe they can get to your laptop,” observes Mike Hackett, Qolsys senior vice president of sales and marketing — and that might enable a malicious actor to get to banking records or other sensitive information.
Mayne advises security dealers to consider offering a monitoring service for the router, a move that could enhance smart home cyber security while at the same time provide a new source of RMR. If the monitoring service were to detect potential security vulnerabilities in the router, the dealer could advise the customer to raise the issue with his or her Internet provider. He points to Fing, Bitdefender and Cujo as possible providers of such software.
Mayne adds, though, that there are some instances in which a smart home system could introduce potential vulnerabilities. Whether or not this could occur relates to how the dealer’s equipment manufacturer implements remote smartphone control, according to Mayne.
The most secure method, he says, is via a cloud connection. With this approach, if a malicious actor were to gain access to the customer’s account by somehow obtaining or guessing the user’s password, he or she would not be able to gain access to the customer’s home network but only to the cloud interface. Mayne advises dealers to avoid using products that rely on a direct connection to the customer’s home network for remote access.
A Cyber Security Tool for Security Dealers
Security dealers that are members of the Consumer Technology Association may find an interactive tool developed by CTA to be useful in gauging the cyber security of a smart home installation. The tool steps the dealer through a series of questions and, based on those answers, provides a score to indicate the cyber security level of the installation. A checklist that looks at the same issues is available to members and non-members on the CTA site at this link:
Dealers also may want to make cyber security part of their ongoing dialogue with their customers.
“We make it a habit to routinely educate/inform our customers of the best security measures they themselves should take: at the point of sale, during/after installation and on an ongoing basis via phone calls, emails and blog postings,” comments Heather Spencer, coordinator of marketing and social media for GHS Interactive Security, a security dealer based in Woodland Hills, Calif.
Those tips, she notes, include:
- Create strong passwords.
- Avoid using the same password for multiple log-ins.
- Change passwords often.
- Secure the property’s wireless network and cloud-enabled devices with a firewall.
- Use a regularly updated anti-virus program across all computers and make sure all computers and networking equipment are patched regularly.
- Ensure equipment firmware is updated on a regular basis.
- Only purchase security equipment from a trusted source.
Adding smart home capabilities can enhance customers’ experiences with their security systems and boost dealer revenues. Keeping cyber security top of mind can help ensure that customers have a positive experience with their smart home systems and may even provide additional revenue opportunities in the form of password management and monitoring of customers’ home networks.
For more information about cyber security of security technology, visit SDM’s website where you will find the following articles:
“Cyber Security & Its Impact on Operational Technologies”
“Cyber Security & the Internet of Things”
“Cyber Security & IP Cameras: Everyone’s Concern”
“The Seeming Paradox of Cybersecurity”
“Cyber Security Threats, the IoT and Preparing for the Zombie Apocalypse”
“The Brave New World of Cybersecurity and the Security Integrator’s Role In It”