A couple weeks ago, I vented my frustration as an ICS security professional at my apartment building forcibly converting to networked smart locks. My tweets were widely misinterpreted, so I’d like to talk a little bit about privacy and security aspects to consider if (when) the property you rent from decides to go “Smart”. To be abundantly clear, I’m not opposed to Smart Home systems – most of us want to live in Star Trek and these devices are a way to a more convenient future. However, there are right ways and wrong ways to implement them, and many substantive privacy and security questions to ask as we move forward into that future.
What’s Your Threat Model?
Before we go any further – when we’re talking about things that impact personal safety, it’s crucial to think about the specific, realistic threats that we (or our families) face. In this blog, I’m going to talk about ways that consumer IoT and Smart Home systems can be abused to cause risk to safety and privacy. If your number one concern for your safety is a casual criminal breaking your lock and stealing your TV, and the loss of your activity data isn’t something that substantially impacts or bothers you, you might decide that a flawed Smart Home system is an acceptable risk (or even a net benefit).
The EFF has a lovely guide on personal threat modeling here. I also enjoyed Sean Gallagher‘s article in ArsTechnica. Always remember that risk to your person or sensitive data is a combination of threat and vulnerability.
My threat model is not your threat model. I investigate nation state and criminal hacking for a living, and I’m a social media personality. Understand your own, and how security and privacy changes will impact it.
How Does Somebody Defeat a Smart Lock?
Before we talk about how a smart lock can be defeated, let’s talk about a typical US renter’s lock. For years, rekeyable mechanical deadbolt locks with master keys have dominated the US apartment market. Many lessors don’t use high security locks with substantial modern anti-pick or anti-drill protection. They choose locks because they’re quick, cheap, and easy to rekey and meet codes. Your apartment deadbolt is a deterrent. If you live at ground level with windows, it might be easier for a criminal to enter through one. If you live in a more secure building, it still won’t take long at all for someone with a bit of motivation to bump, drill, or pick the lock.
Smart locks really vary. A lot of their security depends on their implementation, quality, and features. Some of them provide slightly better physical security than a mechanical lock, and some of them may have slightly worse resistance to simple physical attacks. In my case, the lock in question has no mechanical keyhole, so some physical attack vectors simply aren’t there. If that’s your specific risk model, then that lock is an improvement.
Pin-code locks are open to a host of different attacks than keyed locks. Numbers may wear off mechanical buttons due to use. Additionally, pin codes are something that one knows, unlike a key which they have, and therefore they can be somewhat easier to steal than physical resident or master keys via shoulder-surfing or social engineering. It is also possible for a technically adept person to retrieve a master pin code from some locks electronically without physical damage. It’s important that any landlord installing pin-code locks considers these issues carefully.
Bottom line – a smart lock’s resistance to physical and low-tech attacks totally varies by the lock and how it is installed. Be sure you check into yours’.
However, smart locks, by their nature, also add a great deal of complexity – both in terms of stuff that can fail rendering the smart lock failed locked or unlocked (which may be noteworthy in many people’s risk models), and in terms of network features that add substantial vulnerabilities.
What Happens When we Network the Lock?
Modern smart locks (and many smart devices) frequently connect to a controlling smart hub via two mid-to-short range wireless protocols: the open standard Zigbee, or Silicon Labs’ Z-Wave. In the case of some popular smart devices, a network module is interchangeable to support either. Both of these protocols support mesh networks – meaning, if a device is far from a hub, it can use other devices as relays to talk to it.
In terms of wireless security, both protocols use AES-128 symmetric encryption, but devices implementing both have been vulnerable to some wireless exploitation methods, especially during setup. A big cause of this is backwards compatible devices, and poor or insecure implementation of the protocols by product vendors. While vendors may release firmware updates to fix these issues when possible, the onus is on the device owner to apply them promptly. Patching one’s lock isn’t something many consumers think about.
We come back, however, to the question of threat models. It is certainly possible to attack Z-Wave or Zigbee devices via those protocols, given readily available hardware and software. However, in most cases, these attacks are currently inefficient compared to other attack vectors which we’ll discuss.
The Problem of the Hub
We’ve discussed the security of the standalone smart lock, and the communication method it uses to talk to a smart hub. So far, things don’t seem much more dire than our old-fashioned, master-keyed lock. But that hub has to make decisions about what the smart devices connected to it do. In some cases, a hub may be isolated from the internet and merely make decisions based on local voice or control input. However, it’s much more common for consumer IoT hubs to be connected to the internet. This provides features like remote app-based control, and data reporting, or advanced voice recognition (think, home assistants).
In the case of the rental market, smart home systems provide a few obvious potential benefits:
– Monitoring of utility usage or unsafe conditions (e.g. water leaks).
– Control of occupied unit access for service.
– Control of unoccupied unit access to reduce the need for leasing staff to demo properties.
– Monitoring for subletting or apartment rental service use against policies.
– Faster rekeying on moveout.
– A sexy sell on convenience for potential buyers.
All of those things but one require the hub report data back to some central service. A lot of information about resident lives. Even if occupied unit data is redacted when sent to the lessor, the smart home company must handle data at rest and in transit which may very likely include things like: lock state by timestamp (when is the resident home or on vacation?), guest access, temperature and water usage (when does the resident sleep?), and remotely-configured pin codes to open the lock. As devices become more integrated, this data set will grow and become more telling about residents’ daily activities. This data is being handled by the hub, then sent to the vendor to disseminate and process. The vendor may also issue commands from the app or the lessor to the hub, such as new access codes.
What’s the Right Way to Do This?
If I were management companies’ security consultant (and I’m not), I’d issue them some firm advice – connect these hubs to a private and professionally secured network (preferably wired). Ensure they’re monitored for intrusions and administrative logins, and physically locked away from resident access. Finally, ensure the hub product and vendor network meet reasonable modern security standards.
Unfortunately, there’s currently a mad dash to get these technologies deployed to rental properties by multiple management firms and smart home vendors, and making those changes costs more and takes more time. What we really see happening across several vendors is a highly competitive push to connect these hubs to residents’ personal routers, so that they may have a connection to the internet and thusly to the vendor. From my limited viewpoint into deals and investments, vendors who are seriously considering security and doing things right are struggling to meet leasing firms’ aggressive time-frames.
Why Is This a Super Cringe-y Security Idea?
Allowing residents physical access to a consumer-grade smart hub with an ethernet port or wireless interface is always going to pose a substantial product security risk. Even with a responsible disclosure program, potentially tens of thousands of residents will have access to the unit – which may be using some very well-documented services and technologies. Some will be more technically savvy than others. These hubs will almost certainly be aggressively examined and reverse engineered to look for any security deficiencies in the short to mid term. Some firms are simply installing already-exploitable consumer hubs in the rush to market.
Connecting hubs to residents’ personal routers adds another host of security and liability issues – both to the resident, and the vendor. When was the last time you replaced your home router, or changed your WiFi password? Home routers are often old, have few security features, and little or no segmentation between WiFi and physical ethernet ports. Home wireless encryption standards are not currently in good condition and are typically quite crackable by somebody with a $30 antenna and a laptop running Kali Linux. Once an adversary has obtained access to a consumer wireless network, they’ll typically be be able to connect in the future at their leisure.
So now, we’re in a position where a person with some basic hacking knowledge and YouTube can spend some time gaining access to resident networks, then return days, weeks, or months later, to exploit and tamper with the connected smart hub(s). As an added benefit to a criminal, it’s pretty easy to walk by an apartment and guess based by signal strength which SSID it is broadcasting. This isn’t really high tech stuff – or high barrier.
That same person could certainly come through a building with a bump key and break into mechanical locks. However, this typically leaves some physical damage and evidence, and the skill and tool barriers are very different. Again, we’re back to the question of threat model. If someone is stalking or abusing a resident, being able to repeatedly open the lock while leaving no physical damage or evidence (and not having to do anything overtly suspicious) could be very desirable. This is very much in the realm of possibility if these systems are not secured properly.
Edit 3/3/2019 – a POC has been developed by Dallas Hackers to allow an earlier version of a currently in-use deployment to be trivially opened in this manner.
What About Remote Attacks?
Up to this point, we’ve only really discussed attacks which occur local to the rental property. However, recall that the hub has a direct connection to the internet via an insecure consumer router (or even a cellular dongle with no security at all). This exposes the hub to a multitude of the omnipresent attacks and scanning which occur perpetually on the internet. Most low-end consumer hubs have some sort of web interface or terminal interface for standalone management or configuration.
It is clearly absurd to expect everyday residents to have the technical knowledge or resources to secure a hub from these types of attacks, particularly as their consumer routers age.
These hubs will be scanned and attacked on any and every port, using any available service. Repeatedly, over time – and potentially thousands of units per vendor. They may trivially be indexed in Shodan and left searchable and exposed.
Without being secured on a private network with proper commercial security, these hubs will be attacked, and the only question is how long and effectively they will withstand the scrutiny.
Then, There’s the Vendors’ Security…
Let’s move back to the question of the vendor to whom a smart hub is sending data. I’ll just give all the vendors in the space the benefit of the doubt and presume that they do this using strong encryption – anything else would be nearly criminally negligent. However, even encrypting the connection poses security difficulties. If certificates or credentials used to access the hub and connect it to the vendor are hard coded anywhere on the hub, they’ll become a juicy target for reverse engineers and malicious hackers, and may become an avenue for attack against other hubs or the vendor. Careful product security design and best practices are critical, as well as routine and detailed product security audits.
We’ve established that for system operation, these smart home vendors are going to have to handle a lot of private and telling data about residents – both in transit and at rest on their systems. This isn’t a trivial responsibility – especially as this service becomes more ubiquitous. All of the typical commercial concerns for securing sensitive data apply. Regardless of cloud or physical infrastructure, the vendor has to implement a strong security program to include real-time monitoring, structured patching, security auditing and assessment, formal identity and access management, proper data encryption, incident response, data breach preparedness, anti-phishing, and employee background checks. The vendor must simultaneously ensure the security of any apps they provide, and proper secure development and auditing of any devices or hubs they manufacture.
Essential Security Process Documents a Smart Home Vendor Should Have
A company handling access and sensitive private data in transit or at rest should have (at a bare minimum) these formal, written processes in place:
- A data breach response plan (in case a system deficiency or hack exposes private data)
- A cybersecurity incident response plan (in case an intrusion is reported or detected) – and they should make it clear if incident response is handled in-house or retained.
- A vulnerability reporting program (so system or product deficiencies can be responsibly and effectively disclosed).
Not seeing one of those processes provably in place is a huge red flag to me as a person who investigates and researches security incidents. They should all be mandated by property management companies who are contracting with smart home firms.
Do keep in mind that these are in addition to the essential technical security measures noted in the previous section.
Hacking Goes Both Ways…
While exploited or poorly-secured hubs may provide a handy attack vector against the smart home vendors’ systems or other hubs, they may also provide a convenient route for hackers into residents’ private networks. If the hubs are not properly monitored or secured, they could certainly be exploited via the internet in the future to conduct reconnaissance or attacks of other devices connected to the network. This poses a potential mire of liability for the smart home vendors and management firms.
If a lessor firmly directs residents to connect smart hubs to their networks, which are then exploited to cause infection or hacking of the resident’s personally-owned network, who is financially liable? What if the resident conducts professional or sensitive work using the network, and another company faces damages or intrusion as a result? These are legal questions regarding liability which I do not have the expertise to answer, but they are deeply troubling.
But, Lesley – Everybody Has an Alexa!
Consumers typically have a choice to purchase or not purchase their own smart technologies. Many people opt for the convenience that Alexa or Google Home provide. They may even make an added risk decision about connecting access control devices to their smart hub. However, I do caution that while both Alexa and Google Home clearly pose privacy and security concerns, they are both backed by very large, enterprise-grade product security teams and network security teams. Yet even high-end, well- supported smart devices are sometimes hacked.
I would highly encourage any lessor or tenant being approached with a smart home system – particularly one controlling access – to investigate if the vendor can realistically meet the same standards, or at the minimum – fundamental and necessary standards of cybersecurity. Ask substantive questions about their security program, security staffing, and data breach and incident response plans.
Finally, those Pesky Privacy Concerns
Many of the people objecting to these systems outright are doing so merely because they don’t want private data about their daily activities sent to a third party at all. I can certainly appreciate this. Again, I’m not a lawyer. I will note that I couldn’t find any precedent for cases involving landlords forcibly sending behavioral data on residents to third parties, or reselling it. Of course, this desperately needs to be discussed and explored as more and more data about our daily lives is catalogued, and China rates their citizens based on similar data points.
At this time I have absolutely no proof that any company involved in these migrations is monetizing resident data. In fact, the companies I spoke to are being careful to redact some resident behavioral data once it arrives at lessor consoles from vendors. That does nothing to reduce security concerns, but it’s encouraging from a pure data privacy standpoint.
I will note that it does appear to me that property management firms are being unfortunately remiss in not getting in front of these obvious concerns in writing – establishing clear and written privacy policies for their usage of the smart home data and data ownership with regards to the vendor and device manufacturers. Making people with privacy concerns really uncomfortable about living in their homes is a great way to lose residents and degrade confidence. Clarifying privacy policies is a relatively cheap and easy reassurance to provide.
Regardless, my expertise is in cybersecurity, and I’ve chosen to focus on the potential security deficiencies and exploitablity of these systems. I encourage privacy advocates to investigate and discuss those aspects as well.
Where is this Headed, and Who is to Blame?
I am a security professional. I have limited visibility into inner political workings of property management. I can only make educated guesses based upon press releases, startup funding rounds, and conference talks. But honestly, after spending a couple weeks looking into companies who are purchasing rental smart home technologies and vendors selling it, I can’t fault the individual employees of the vendors producing the tech, too much. This is the hot new thing – smart apartment technology has been discussed in depth at high-profile conferences, and management companies seem eager to get it deployed across thousands of units in astoundingly tight time-frames. The bottom line is that management companies love these systems, many residents find them cool, and vendors are being pushed hard to produce. The voices of security and privacy-conscious residents are likely to be drowned out, until a data breach or security incident causes substantial attention.
I think there are definitely ways to do smart apartments right. I was incredibly impressed by a couple companies I have no affiliation with that reached out to me after my tweets about this issue, interested in my security concerns. There are certainly both vendors and management companies that are carefully evaluating these problems and building mitigations.
At this point, however, this seems to be a freight train far larger than I as an individual ICS security researcher can hope to stall. Projections show systems from several vendors deployed into hundreds of thousands of US apartments in a couple years. I would simply implore management companies consider all the implications of these systems carefully, and invest a relatively small amount of money in installing them securely and ensuring vendors have the human and financial resources they need. I am, as always, willing to assist as much as my free time and resources allow.
What’s the TLDR?
If you’re a tenant in the US, it’s very likely that a management-provided smart home system is headed your way in the near future. Carefully evaluate your family’s personal threat model, and consider the plausible digital ways which these systems could be exploited.
Spend some time reading into the vendor. Respectfully and courteously encourage your property management company and their smart system vendor to adopt industry best practices in securing smart hubs physically and digitally, the networks they are connected to, and and resident data at rest and in transit in their infrastructure. Request your property managers clearly and decisively address privacy concerns such as data ownership and resale in writing. If solid answers in writing don’t assuage legitimate concerns, consider politely seeking an option to opt-out – and make your threat model clear to them, if you’re in a sensitive situation.
These systems are the future – let’s do them right, for everybody.