This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
SDM Magazine
  • Sign In
  • Create Account
  • Sign Out
  • My Account
SDM Magazine
  • Home
  • Magazine
    • Current Issue
    • Digital Editions
    • Archives
    • Monitoring Today
    • Professional Security Canada
  • Products
  • Newswire
  • Exclusives
    • SDM 100 Report
    • Top Systems Integrators Report
    • Annual Industry Forecast
    • State of the Market Series
    • Dealer of the Year
    • Systems Integrator of the Year
    • TMA Monitoring Center Excellence Awards
    • Blog
    • PSA Leadership Institute
  • Topics
    • Trends & Industry Issues
    • Video Solutions
    • Access Control & Identification
    • Smart Home
    • More SDM Topics
  • Columns
    • Editor's Angle
    • 5-Minute Tech Quiz
    • Security & the Law
    • Security Networkings
    • Digital Shuffle
    • Technology @ Work
    • Insider News & Business
    • Today's Systems Integrator
    • Marketing Madmen
    • Sales Stars
    • Smart Insights
  • Events
    • Industry Calendar
    • SDM 100 Gala @ ESX
    • Webinars
  • More
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Newsletters
    • Classified Ads
    • White Papers
    • Sponsor Insights
    • More Resources
  • Directories
    • Buyers Guide
    • Take a Tour
    • Guide to Distributors
    • Guide to Central Stations & Monitoring
  • Contact
  • Advertise
Home » Smart Home Cyber Security
SDM TopicsSmart HomeTrends & Industry Issues

Smart Home Cyber Security

What dealers need to know to keep their customers cyber-secure.

Obsidian-July2018

Controlling user codes for smart door locks is critical to smart home cyber security.

SmartLink 1-July2018

Strong passwords can help secure the smartphone app that customers use to remotely control their smart home systems.

PHOTO COURTESY OF ALULA

Concerns About Hacking of Smart Products-July2018

Parks Associates data indicate that almost half of U.S. broadband households are “very concerned” (rating 6 to 7 on a 7-point scale) about hackers getting control of connected devices. Consumers are equally concerned about hackers getting access to historical data from those devices. An analysis of changes in these consumer attitudes from 2014 to 2016 finds that the total share of consumers who are “concerned” (rating 5 to 7) has increased by 5 percent on both questions and the share of those “very concerned” has grown by 6 percent to 7 percent. Similarly, the share of consumers who are “not concerned” (rating 1 to 3) has shrunk by about 3 percent to 6 percent.

GRAPHIC COURTESY OF PARKS ASSOCIATES

Obsidian-July2018
SmartLink 1-July2018
Concerns About Hacking of Smart Products-July2018
July 30, 2018
Joan Engebretson
KEYWORDS cyber security / security dealers
Reprints
No Comments

Security dealers increasingly are offering smart home devices such as smart lighting control, smart thermostats and smart door locks to their customers. By taking the right precautions, dealers can help ensure that those devices enhance the customer’s lifestyle without posing cyber security vulnerabilities.

 

While the focus of this article is specifically on cyber security for smart home equipment, it’s important to note that there also may be vulnerabilities related to the security system to which the smart home equipment may be connected — a topic addressed in the sidebar titled, “How Secure Are Wireless Security Devices?” on page 76. 

Wireless Communications

Potential cybersecurity vulnerabilities related to smart home equipment fall into three main areas: wireless communications, passwords/user codes, and the security of the customer’s router/broadband modem.

Smart home devices such as smart door locks or smart thermostats may use Z-Wave, Zigbee or Wi-Fi wireless communications.

Ross Werner, chief architect for San Jose, Calif.-based security and smart home equipment manufacturer Qolsys Inc., explains the cyber security protections provided by each of these protocols. “Z-Wave devices fall into two categories: secure (access devices such as door locks) and non-secure (light switches, thermostats, etc.). Secure Z-Wave devices use 128-bit AES encryption; this is what financial institutions and governments use to protect sensitive data. It is built-in, always-enabled, not even possible to be disabled,” Werner explains.

Encryption helps prevent an unauthorized user from using a “sniffer” device to listen to communications in order to learn passwords or other sensitive information.

“Z-Wave also benefits from an explicit pairing process where the network controller has to sync with a new device and exchange security keys,” Werner continues. “The latest version of the Z-Wave [software development kit] is fully encrypted.”

Zigbee is a bit more complicated because each one of multiple vendors has implemented its own version of the networking stack. Overall, though, “if you look at Zigbee 3.0, with proper implementation, its security is comparable to Z-Wave; it also uses 128-bit AES and has a pairing process between devices to the network controller,” Werner says.

Ensuring Wi-Fi security “requires first enabling a robust security protocol and then strong passwords to keep the communication secure,” according to Werner. 

Dave Mayne, vice president of product management for Hudson, Wis.-based manufacturer Alula, notes that most Wi-Fi smart home equipment has encryption as a default setting. A bigger concern, he says, is whether an unauthorized Z-Wave device might be able to connect to a Z-Wave network.

Devices used with Alula and some other smart home systems have a feature that requires the passing of secure software keys — which Mayne says could be thought of as device passwords — back and forth between the system and any device that wants to join the network. 

According to Mayne, “not all manufacturers do that well.” Accordingly, he advises dealers to ask the manufacturer of any smart home equipment what that manufacturer does to make sure that only trusted devices can join the network.

As for encryption of wireless protocols, Mayne comments “You’re always playing a game — hackers try to break [encryption], you enhance it and the hackers try to break it again.”

Recognizing that, dealers will want to keep up with new developments in encryption technology and when appropriate, consider replacing or, if possible, upgrading existing devices so that they have the most current technology.

How Secure Are Wireless Security Devices?

Ironically, potentially the least secure portion of an integrated security and smart home system is not the smart home portion of the system, but rather the security portion. 

According to Mike Hackett, senior vice president of sales and marketing for Qolsys, some of the proprietary protocols that manufacturers use between wireless sensors and the control panel are unencrypted. 

Traditionally, this was not a major concern, he explains. “Ten years ago, it would take a really smart person with a really gigantic server” to “pull up to someone’s house,” listen in on communications between elements of the security system and determine how to gain entry to the system, Hackett observes.

In today’s world, however, he notes that “there’s a simple radio you can buy on eBay or Amazon” which, when combined with watching a video on YouTube, can give almost anyone the ability to crack into unencrypted security system communications. 

Communication between individual elements of an alarm system can be fairly infrequent, but according to Hackett, a potential burglar could hide a sniffer device in a bush near a home targeted for a heist and return a week or so later to gain the necessary information.

Some security manufacturers — including Qolsys, Alula and others — are now encrypting wireless security system communications and some offer retrofit kits for existing systems that may lack encryption. Retrofit kits may enable security dealers to replace only the radio portion of the existing panel, Hackett explains. To minimize upgrade costs, dealers may consider only replacing particularly critical sensors such as wireless key fobs and door/window contacts, he notes.

Advising customers about options such as these could be an important task for security dealers, considering that a recent Parks Associate survey conducted for Qolsys found that 64 percent of professionally monitored security system owners believe their home security system uses encrypted communications from the sensors to the panel, even though the percentage likely is considerably lower. 

“Proprietary protocols used in various security products have varied in the degree of protection they provided, from highly rigorous to much less so,” comments Brad Russell, Connected Home research director for Parks Associates.

User Codes & Passwords

According to Helen Heneveld, president of Holland, Mich.-based Bedrock Learning and author of SDM’s Smart Insights column, the most common vulnerabilities associated with home control systems relate to user codes and passwords. It’s critical for the default passwords on any home control devices that use passwords to be changed.

What malicious actors could do if they were to obtain the password to a home control device varies, depending on whether the device communicates with the security system, Heneveld explains, but one possibility is they might be able to unlock doors or windows.

Heneveld recommends that security dealers offer a password management service to their home control customers to keep track of client passwords and help ensure that those passwords are changed regularly. Homeowners see security dealers as trusted suppliers, Heneveld argues, and by offering password management, dealers not only gain a potential source of recurring monthly revenue (RMR), they also “reaffirm the trust” that customers have in them. 

Some industry stakeholders have a bit different take, however. Noting that many systems are controlled via an app installed on the customer’s smartphone or through a computer, Nick English, national sales manager for Kwikset Corp., Lake Forest, Calif., recommends that the installer show the customer how to change the password using the app but should avoid knowing the password, instead turning responsibility over to the customer to enter the password into the system.

Using an app that requires customers to use a longer-length password that includes a combination of special characters and upper- and lower-case letters or advising customers to use such a password also can enhance cyber security.

English offers other advice for what security dealers should tell customers when turning a newly installed smart home system over to the customer. He notes, for example, that Kwikset smart door locks can support as many as 30 user codes, but he advises dealers to discourage customers from assigning more of them than they need. He also encourages dealers to inform customers that they can limit the hours during which an individual user can access the system.

“If you have a dog walker and you give them their own user access code, maybe you only make it available during certain times and not on weekends,” English suggests.

The Role of the Router

Some smart home cyber security vulnerabilities originate in a device that typically is not under the security dealer’s control — the broadband modem/router from the cable or phone company or other Internet provider. 

“Right now, I think that’s kind of a hands-off area,” comments Mayne, who notes that security dealers don’t want to be accused of changing something on the router that causes some type of problem for the customer.

Nevertheless, routers could have cyber security vulnerabilities if certain software is out of date, if default passwords haven’t been changed, or for other reasons. One important potential vulnerability is if software ports on the router have been left open, which also leaves open the possibility that a malicious actor might gain entry to the network through an open port. 

“If they can get to the router, maybe they can get to your laptop,” observes Mike Hackett, Qolsys senior vice president of sales and marketing — and that might enable a malicious actor to get to banking records or other sensitive information.

Mayne advises security dealers to consider offering a monitoring service for the router, a move that could enhance smart home cyber security while at the same time provide a new source of RMR. If the monitoring service were to detect potential security vulnerabilities in the router, the dealer could advise the customer to raise the issue with his or her Internet provider. He points to Fing, Bitdefender and Cujo as possible providers of such software. 

Mayne adds, though, that there are some instances in which a smart home system could introduce potential vulnerabilities. Whether or not this could occur relates to how the dealer’s equipment manufacturer implements remote smartphone control, according to Mayne. 

The most secure method, he says, is via a cloud connection. With this approach, if a malicious actor were to gain access to the customer’s account by somehow obtaining or guessing the user’s password, he or she would not be able to gain access to the customer’s home network but only to the cloud interface. Mayne advises dealers to avoid using products that rely on a direct connection to the customer’s home network for remote access.

A Cyber Security Tool for Security Dealers

Security dealers that are members of the Consumer Technology Association may find an interactive tool developed by CTA to be useful in gauging the cyber security of a smart home installation. The tool steps the dealer through a series of questions and, based on those answers, provides a score to indicate the cyber security level of the installation. A checklist that looks at the same issues is available to members and non-members on the CTA site at this link:

https://cta.tech/cta/media/Membership/PDFs/ConnectedHomeSecurityChecklist.pdf

Ongoing Education

Dealers also may want to make cyber security part of their ongoing dialogue with their customers.

“We make it a habit to routinely educate/inform our customers of the best security measures they themselves should take: at the point of sale, during/after installation and on an ongoing basis via phone calls, emails and blog postings,” comments Heather Spencer, coordinator of marketing and social media for GHS Interactive Security, a security dealer based in Woodland Hills, Calif.

Those tips, she notes, include:

  • Create strong passwords.
  • Avoid using the same password for multiple log-ins.
  • Change passwords often.
  • Secure the property’s wireless network and cloud-enabled devices with a firewall.
  • Use a regularly updated anti-virus program across all computers and make sure all computers and networking equipment are patched regularly.
  • Ensure equipment firmware is updated on a regular basis.
  • Only purchase security equipment from a trusted source.

Adding smart home capabilities can enhance customers’ experiences with their security systems and boost dealer revenues. Keeping cyber security top of mind can help ensure that customers have a positive experience with their smart home systems and may even provide additional revenue opportunities in the form of password management and monitoring of customers’ home networks.


More Online

For more information about cyber security of security technology, visit SDM’s website where you will find the following articles:

“Cyber Security & Its Impact on Operational Technologies”

www.SDMmag.com/cyber-security-operational-technologies

“Cyber Security & the Internet of Things”

www.SDMmag.com/cyber-security-and-iot

“Cyber Security & IP Cameras: Everyone’s Concern”

www.SDMmag.com/cyber-security-ip-cameras-everyones-concern

“The Seeming Paradox of Cybersecurity”

www.SDMmag.com/paradox-cybersecurity

“Cyber Security Threats, the IoT and Preparing for the Zombie Apocalypse”

www.SDMmag.com/preparing-for-the-zombie-apocalypse

 “The Brave New World of Cybersecurity and the Security Integrator’s Role In It”

www.SDMmag.com/brave-world-cybersecurity


Subscribe to SDM Magazine

Recent Articles by Joan Engebretson

The Big Security Deals of 2018: What They Tell Us

Wholesale Central Stations: Innovation Is Key

11 Ways to Maximize the Value of Your Security Company

Thinking Outside the Box About CO & Smoke Detectors

10 Great Security Distributor Resources

Joan Engebretson is a contributing writer for SDM Magazine.

Related Articles

ADT Unveils Home Automation, Cyber Security Solutions at CES

Security Professionals’ Biggest Sources of Concern Related to Cyber Attacks

J.D. Power Ranks Vivint Smart Home Highest in Home Security Customer Satisfaction

New Version of Genetec's Platform Adds New Cyber Security, Privacy, Access Control & Smart-Data Analytics Features

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • SDM eNewsletter & Other eNews Alerts
  • Online Registration
  • Subscription Customer Service

More Videos

Popular Stories

SDM0219-cover inside

State of the Market: Video Surveillance

ADT-Logo1.jpg

ADT Acquires DIY Home Security Provider LifeShield

Richmond Alarm ScorecardWEB.jpg

Designing an Effective Product Assessment Process

defenders.jpg

ADT Dealer DEFENDERS Draws Scrutiny From Chicago News Station

KP_KA_ChooseAlert

Beyond the Basics of Emergency & Mass Notification

SDM-IndustryInnovation360

Events

April 30, 2019

How to Work with IT to Capture the Entire Job

As modern security systems become increasingly sophisticated and camera counts continue to climb, many organizations are looking to their IT departments to find replacements for traditional infrastructure. Outdated infrastructure puts organizations at risk of data loss and downtime and potentially exposes them to critical liabilities and financial losses. It should come as no surprise then that 40-60% of the average security spend is allocated to updating infrastructure.
January 1, 2030

Webinar Sponsorship Information

For webinar sponsorship information, visit www.bnpevents.com/webinars or email webinars@bnpmedia.com.

View All Submit An Event

Poll

Hiring Women in Security

Has your company made any efforts in the past year to specifically hire and/or promote women in managerial/executive positions? (Please select the best answer.)
View Results Poll Archive

Products

Effective Security Management   6th Edition

Effective Security Management 6th Edition

This latest edition of Effective Security Management retains the qualities that made the previous editions a standard of the profession: a readable, comprehensive guide to the planning, staffing, and operation of the security function within an organization.
See More Products
State of the Market: Access Control 2018 - SDM Magazine

Visit the latest in our “State of the Market” series: Access Control 2018

SDM Magazine

_FC_SDM0219 Cover 144x192

2019 February

In our February issue we present our 2019 “State of the Market: Video Surveillance” report. Also, find out more on "Artificial Intelligence in Video Surveillance". Read about the "3 Steps for Choosing the Right Visitor Management Solutions". And discover the latest and greatest products.

View More Subscribe
  • Resources
    • List Rental
    • Online Exclusives
    • Industry Innovations
    • Partners
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing