Most smart homes can be hacked


Even though you sometimes track information about internet and computer security, you may have come across the statement that many systems installed in smart homes are not well thought out or configured, exposing them to many serious security issues.

I need to explain, by risking images of your intelligence, that smart homes are exactly what you mean (such as smartphones, smart TVs or cars): they are homes that use heating, cooling and light control systems, and smoke detectors and / or all the door locks are connected to the home network or to the internet, as are for example computers, telephones or tablets. Such systems allow users to remotely monitor and control their home systems.

Researchers from  took a closer look at intelligent security systems and internet-connected door locks, smoke detectors and anything else that had access to the Web. They tested the security status of seven different sets to create a smart home and found that four of them did not guarantee security.

Seven is, of course, quite little and may not be statistically significant or not representative of the sample. But aside from this fact, the devices proved to be leaky and could be used for internal and – in some cases – external attacks against the home network and connected equipment, or the home itself and all its contents.

AV-Test analyzed iConnect from eSaver, tapHome from EUROiSTYLE, Elements from Gigaset, iComfort from REV Ritter, Smart Home from RWE, QIVICON from Deutsche Telekom and XAVAX MAX! from Hama. The research showed that only three sets: Gigaset, RWE and QIVICON were well protected against intrusions and unauthorized access. The iComfort and tapHome kits contained vulnerabilities that could be exploited locally, meaning the attacker had to be home to make use of them. More importantly, the iComfort and XAVAX MAX kits! could be used for nefarious purposes remotely (as well as locally).

Each product offers a different set of features. Generally these are electricity, heating and security control systems; window, door and room monitoring systems; electrical outlet control systems; as well as systems for switching lights, heating and electricity.

It is conceivable that an attacker could, for example, manipulate connected systems to cause damage (e.g. turn off the heating in winter, which would cause a pipe burst).

The most likely attacks are those that use these systems as access points to obtain valuable data stored on your home network.

However,  most cyber criminals are interested in money , so the most likely attacks are those that use these systems as access points to obtain valuable data stored on your home network. It is also possible that unsecured devices can be hacked in order to surveillance a potential physical theft object. A criminal with the right knowledge could even open the door, which would only facilitate theft. AV-Test notes that the potential of ransomware that spreads among different connected devices may also be tempting to an attacker. After all, it’s hard not to pay the ransom when your whole house just isn’t working.

AV-Test focused on whether communication between devices is encrypted, whether the sets require active authentication by default ( network or physical access password ) and their vulnerability to remote attacks.

Two-way communication with Gigaset, RWE and QIVICON products is always encrypted and has been found secure by AV-Test. iConnects also encrypts its communication, but according to AV-Test, it can be easily bypassed. The other tested products —iComfort, tapHome, and XAVAX MAX! — Do not use encryption at all.

This error in the implementation of encryption means that all smart home communications can be easily intercepted. An attacker could monitor all communication with these devices, cheat codes to manipulate their operation, or even just monitor them to find out when the household is inside.

The iComfort product does not require authorization at all, so you can remotely attack the system using the Internet. IConnect and XAVAX MAX! require network access authorization, but do not require authorization for local physical access. TapHome requires internal authorization, but given the lack of encryption in the product, this is irrelevant. Both Gigaset Elements, RWE Smart Home and QIVICON, in addition to secure communication, ensure the need for authorization for physical and network access.

The good news is that the folks at AV-Test believe that if the developers of these products take the time to implement the decent protection concept instead of pushing their goods to the market, then it will be very possible to create a secure smart home system. If you are thinking of buying one of these systems, AV-Test has just told you what to look for: a system that always requires authorization and that always encrypts its communication.