A smart home – but safe!?

Computer scientist Peter Schulik is a research associate at the Institute for Innovative Security at Augsburg University of Applied Sciences. Schulik focuses on the protection of operating systems and networks, particularly in the field of digital forensics. We interviewed the IT expert about the security of smart home technology.

Mr. Schulik, is the data encryption of these systems really as secure as the manufacturers suggest?

In our university lab, we simulate attacks on smart home technology to identify new attack techniques and detection mechanisms. The result: Depending on the product, the devices are more or less secure. Hacking them therefore requires varying degrees of effort and expertise from the attacker. But it is possible.

Is this only relative security also due to competitive pressure in the market?

Yes, security costs time and money, and the pressure to bring new features to market before the competition does has a negative impact. There's less time to review the software and check how well the code is secured, for example, whether passwords are transmitted unencrypted, or to uncover vulnerabilities in the software.

What makes the smart, connected home vulnerable to external attacks?

The actuators and sensors on windows, doors, or heating systems collect information about their physical environment. Even the sound system, which, for example, ensures that your favorite music greets you at home, knows your user profile. Corporations, and potentially burglars, can thus find out if and when someone is home. In many cases, it's simply not transparent what happens to this data.

Another source of danger is cyberattacks. Sensitive information such as credit card details is stored on these devices. How can users contribute to their own security?

Unfortunately, it happens all too often that buyers of smart home technology, such as security cameras, neglect to change the default username and enter their own password. Such devices can then be scanned and compromised online. Along with a variety of other devices like refrigerators or heating systems, they are often combined to form botnets (large networks of remotely controlled systems infected with malware). Most of these bots can then be monitored and receive commands via a communication channel.

Can you give us a specific example?

If a mother uses a two-way audio camera to monitor her baby online and uses a default username and password, an unauthorized person could gain access to the camera and voice control, potentially resulting in a stranger's voice being heard in the room or video footage of the nursery being recorded. In the US, a separated man used his access to the smart home components in their former shared home to terrorize his ex-wife. However, it also happens that smart home systems merely serve as gateways or springboards to access further network data, which is stored either on the computer's or laptop's hard drive or on the company network.

Besides increased comfort and energy efficiency, it's actually the enhanced security that motivates buyers to invest in a smart home system. How can these uncertainties be minimized?

Before buying, you should definitely invest time in familiarizing yourself with the provider's security concept. What features are offered? How does the encryption work? Important aspects to consider when choosing include: How long will I receive security updates, and are they even available? Can I change the password – good manufacturers encourage this – and is the data transmitted encrypted? Are updates installed automatically, or is this configurable? The manufacturer-independent platform av-test.de offers a good starting point. There are also smart home components without internet access or communication with the provider. If in doubt, choose one of these. You can also find information on what to look out for on the smart home page of the special report "BSI for Citizens," published by the Federal Office for Information Security (BSI).

In which direction will the future development of technology take?

Manufacturers are currently working on combining components that currently operate independently to create specific routines. The command "Alexa, start the morning program!" would then be enough to heat the bathroom, raise the blinds, brew coffee, and search for your favorite radio station. In the future, such routines will also be controllable from the car. So, if I want to do some shopping on my way home, I can ask what's already in the refrigerator.

Very practical. How smart is your own home?

Despite the many convenient features that a smart home offers, mine is rather traditional. For security, I still rely on mechanical burglar protection.

Thank you for the informative conversation, Mr. Schulik!