BBC Inside Out. Consumer advice for the ‘smart’ homeowner

We were recently asked to demonstrate security flaws in a smart home for the BBC Inside Out TV show. We’ve done this before, so what was different?

This home was by far the most connected we had looked at. Typically, homes have a few smart devices; a smart thermostat, CCTV, maybe a doorbell and perhaps a home assistant.

In this case, there were over 200 devices for us to play with.

Devastating security flaw, amazing disclosure response

My interest was piqued by a smart home management system that aggregated smart products. One smart system to rule them all. My colleague @evstykas noticed an insecure direct object reference in an account reference parameter.

Simply by modifying this, one could access the users account. Remote, unauthenticated.

As it brought together virtually every smart device in the home, it allowed us to compromise everything. Even devices that we knew were otherwise secure.

We had the ability to unlock smart door locks, disable smart house alarms, spy on CCTV, listen to microphones, everything.

We aren’t naming the vendor. Why?

We reported this by email. The email was acknowledged within minutes. An engineer was woken at 3am and a fix was being tested by the time the development team got to the office.

This is completely at odds with normal train-wreck disclosure process with IoT vendors. We were so impressed that we decided not to name them in public.

How bad was it?

The flaw affected about one million smart homes around the world. Smart home management devices are typically found in high-end homes. Homes full of high value contents.

We can’t determine how long the flaw was present, but it’s not there any more.

Advice

Smart home installers in my experience aren’t experts in security, but they do know how to get smart stuff working.

Before you engage their services, ask for evidence of the security processes they follow. For example, ask for a document that explains to you:

• How they enable remote access to your home from a mobile app.
• If the installer can access your home remotely themselves. Do they have ‘back door’ or ‘remote support’ access?
• How the software is kept securely up to date
• What the installer has changed on your home router to enable access

Also, ask the installer for a how-to for you: do they have a document that gives you advice on setting up your accounts securely?

If the installer can’t provide these, I would question whether they’re the right installer for you and your security.

Smart home product vendors also need to be able to provide similar answers – consumer documentation that potential customers can easily determine whether security is addressed properly or not.