The state of smart home security? Terrible, horrible, no good, very bad. Millions of networked devices are being put into circulation, but many of them are highly insecure. Common safety standards are rarely or incompletely implemented, if they exist at all. We show you known deficiencies and asked manufacturers and security experts whether there is any prospect of improvement.
It's almost a little creepy. Lamp manufacturers LIFX, Xiaomi, Tuya and WIZ are concerned. In a quick test, the hacker "Limited Results" was able to read Wi-Fi passwords unencrypted in several Wi-Fi connected lamps. But for this he had to open the lamps by hand.
Of course, somehow such smart lamps must be able to reconnect to your Wi-Fi after they have been switched off at the switch and switched on again later. However, storing the necessary data unencrypted is generally considered a bad practice. After all, a thief could unscrew your lamp to later open and read it at home.
The security expert and VTrust founder Michael Steigerwald succeeded in hacking without soldering or opening with Tuya lamps. Steigerwald demonstrated it at his CCC lecture in Leipzig, and on that day did not want to name the manufacturer of those lamps. The problem is a global one and - as the findings of Limited Results later showed - not limited to individual manufacturers.
I talked to security expert Maik Morgenstern from AV-Test about the state of smart home security and asked: "How can I as a customer know before I buy whether or to what extent I can trust a networked electrical device?" His answer, translated from German, was as follows:
In the public eye, one sees above all the cases in which something goes wrong. What is particularly frightening about this is that the same simple mistakes are made again and again that do not have to be. Complex hacks are often not even necessary. Passwords are then simply sent through the network in plain text.
Since 2013 we have been testing IoT devices [on iot-tests.org, -Ed] and have identified several trends. Well-known manufacturers are increasingly making efforts to ensure IT security and we can see that the level here is rising steadily. At the same time, however, new companies are constantly coming onto the market, for which IT security all too often plays no role. In addition, the handling of the subject of data protection is handled very differently.
European manufacturers in particular are increasingly attracting our attention with solid IT security, but also with reasonable data protection requirements. If the companies also undergo a voluntary security test such as AV-TEST, recognizable by the AV-TEST seal "TESTED SMART HOME PRODUCT", there is a good chance that the device can be operated safely and that the user's data will not be misused.
But whether they're well-known or not, when suppliers like Tuya sell hundreds of thousands of light bulbs with foreign names, the customer doesn't even see what's inside the lamps. White label contracts disguise the true origin of the technology. In its IFA Innovation Award press release, Tuya wrote:
To date, Tuya Smart has developed well over a thousand software and hardware products for companies such as TCL and Archos and currently works with over 10,000 customers around the world.
The manufacturers caught follow up the criticism with action and patch their systems accordingly. Tuya replied in an extensive statement that the following problems from Steigerwald's live hack will be tackled or have already been tackled:
- The AES key is now transmitted encrypted.
- Communication with the Tuya cloud will be TLS encrypted
- Information in flash memory is stored in encrypted form
- Firmware packages are verified
- The app gets a new administration for security keys
Unfortunately, we were not told why the location data of each individual user can still be retrieved in the Tuya cloud. So it remains the case that manufacturers with Tuya technology know unnecessarily much about you.
Lifx also sent us a statement which basically promises to do the same:
"All medium to high severity vulnerabilities identified by Limited Results were fixed in the firmware and app releases at the end of 2018. All sensitive information stored in the firmware is now encrypted and we have introduced additional security settings in the hardware. Customers can get the firmware update by opening their LIFX app. If you have not updated your lights yet, a firmware update prompt will appear."
Xiaomi also states that it will deliver a patch. Furthermore, the manufacturer says that an attack is highly unlikely if it first requires physical access to a product.
We need public safety regulation for IoT manufacturers
Patches alone will not tackle the problem at its root: The manufacturers of networked home electronics must make it clearer that our data protection is important to them. As customers, we must be able to rely on manufacturers to develop smart home devices with a focus on privacy. Everything else is secondary.
Just as they emphasize the added value of networked household appliances, they must also show that we are not burdened by data leaks and external misuse. Here it would also be desirable for legislators or consumer protectors to intervene. These could make safety audits such as the above the norm, such as a visit to the health department in restaurants.
Until then, we will have to make do with DIY efforts. For example, you can make your smart home more secure by adjusting your Wi-Fi settings. But if we can't know beforehand whether the equipment has been manufactured safely, even our best efforts may be in vain.
Are you concerned about the security of your smart home devices?