Support for Ukraine



Blog Archive



Smart homes systems not so secure: U of C researcher

Full Story Blog Post Saturday, October 28, 2023 in Security   View No Comments No Comments
Security

NAME

Devices to make homes smarter and protected are rendering them less secure, says a University of Calgary researcher who’s delved into the interconnected world of tech privacy.

The increasingly widespread use of devices in homes such as surveillance cameras, smart TVs and virtual assistants that are linked through apps and smartphones are exposing sensitive homeowner data to a host of players, not all of them benign, said U of C associate computer science professor Joel Reardon.

It can also lead to the harvesting of sensitive information and can even alert eavesdroppers to when a home is vacant and vulnerable, said Reardon, who collaborated in the research with academics in Spain and the U.S.

More often, commercial players can receive this information for their own benefit and without the homeowner’s awareness, said Reardon.

There’s a distinct irony in the threat posed by devices meant to protect us, he said.

“We have this mentality a home network is a safe space, that it’s safe from the internet but increasingly these devices are contacting the internet and sending (data) out,” said Reardon.

“The mentality is it’s a high-trust space but what our paper is arguing is it should be a low-trust space.”

The so-called Internet of Things (IoT) or devices such as printers or CCTV cameras that connect automatically with smartphones can be compromised to expose household geolocation data and unique device names, said Reardon.

“The spyware I found in apps with tens of millions of installs was in fact scanning networks and talking to routers,” he said.

“Many of these IoT devices were reporting persistent identifiers that could fingerprint the home (to outsiders)…increasingly these devices are contacting the internet directly and sending (data) out.”

Equipment like CCTVs can protect a home while providing an unwelcome window to it for outsiders, he added.

A paper titled In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes was presented this week by Reardon and his international team of colleagues at the ACM Internet Measurement Conference in Montreal.

It examined 93 IoT devices and their interactions with mobile apps to uncover a range of privacy threats.

With the use of such devices and apps rising, “there’s opportunities for more malicious behaviour, if devices can do bad things we need to have better security in that regard,” said Reardon.

Said Reardon’s counterpart at Boston’s Northeastern University, Associate Professor David Choffnes: “We find that smart devices in our homes are piercing that veil of trust and privacy – in was that allow nearly any company to learn what devices are in your home, to know when you are home and learn where your home is.”

“There is a need for better protections in the home.”

A manager of a local home security firm said he’s been aware of the privacy risks for some time but said professional installers like him operate with a focus on security than those who retail-purchase home systems.

“It’s a growing concern but you’ll find with professional companies, it’s a different ball game – we actually take security issues seriously,” said Chris Rubak, service and installation manager at AE Security.

Those seeking the lowest price and most convenient products can be more vulnerable to privacy breaches, he said.

And with growing concern over crime due to a challenging economy, demand for his services for high-end homes and commercial properties is keeping the company busy, said Rubak, adding he’s not aware of any breaches among his customers.

To allay concerns over security vulnerabilities, he said his firm sources products that follow federal security standards.

Even so, Rubak said he’s “highly-suspicious about downloading specific apps onto my smart phone. There’s no real way to police because it’s (transmitted across) the world.”

The U of C’s Reardon voiced skepticism over government standards governing tech, saying they’ve too often proven to be more harmful that helpful, such as protocols demanding regular password resets.

“I’m not too convinced by standards in general – they don’t give me the sense everything been thought of,” he said.

But he said locking down the ability of apps to freely talk to devices and making sure IoT devices aren’t sharing unnecessary information like identifiers can help reduce exposure.

“Don’t share information unless it’s on authenticated devices,” he said.

“We’ve reached out to companies and we’ve gotten a real positive response from them, like removing persistent identifiers.”

calgaryherald.com



No Comments