Smart homes are increasingly popular for IoT products and services with many promises for improving individuals’ quality of life. Typically, a smart connected home comprises a multitude of connected devices belonging to various application areas, broadly categorized into four groups: entertainment, energy, security, and healthcare.
However, connected devices in a smart home pose many security and privacy challenges due to this environment’s heterogeneous, dynamic, and Internet-connected nature, in which an unauthorized party can obtain unacceptable or inappropriate access to someone’s personal information. This accessibility, alongside the rising risks of privacy and data security breaches, makes smart home security a critical topic that deserves scrutiny.
Notably, most of the devices launched in the market are more focused on connectivity but lack security and are easily attacked by hackers. Since many devices are connected to the internet in a smart home environment, there is a potential risk of malicious attacks – i.e., passive and active attacks.
In passive attacks, the third party steals the information without changing the data. On the other hand, active attacks will modify or add the system data. However, passive attacks are more dangerous since it is not easy to detect them instead of preventing such attacks. Preventing such devices in the smart home environment from such attacks is a great challenge and should be addressed to save the digital economy. In this post, we will discuss some of the key potential privacy and security threats suffered by smart home devices.
1. Third-party storage
The introduction of third-party cloud storage was crucial to developing the smart home feature that permits remote access and monitoring. As a result, you can access the data from your smart home from anywhere. A third party may keep a lot of private information and personal data.
For instance, a data breach at the Chinese company Orvibo, which operated an IoT management platform, exposed 2 billion records from smart home devices. The breach affected information, including passwords, account reset codes, precise geolocation, and scheduling data. This would inform attackers of user routines and locations, allowing them to determine when homes are empty and creating opportunities for burglaries. Some devices, like smart locks or security cameras, might become useless due to the information because attackers could now access them.
2. Secondary use of data
Users may unknowingly agree to allow their data for purposes other than the device when purchasing and configuring new smart home devices, such as Amazon’s Alexa. Users can converse verbally with the device and ask questions. Workers examine voice samples submitted to the device to enhance Amazon’s voice recognition software. This raises some questions regarding data that the gadget might unintentionally capture. Users’ previously private home conversations might no longer be so private. The use of this data may also raise concerns about morality and confidentiality.
3. Resource constraints and headless nature
Smart home devices are frequently battery-powered and employ low-power CPUs with low clock rates and throughput. It is difficult to port computationally expensive cryptographic algorithms like RSA to such low-powered devices. RAM and flash memory limitations also make this difficult. Furthermore, most IoT devices lack a keyboard, mouse, and screen. Due to this, end users may be forced to rely on smartphones or websites to enter parameters.
Furthermore, this makes implementing mechanisms like “notice and consent” more difficult in smart-connected homes. Packages that are not tampered with Because smart home devices are usually physically accessible, they are vulnerable to physical tampering attacks. Homeowners can sometimes carry out this attack, for example, by tampering with smart meters to reduce billing costs. On the other hand, other entities may engage in technical tampering, for example, to facilitate a break-in.
4. Heterogeneous protocols and dynamic characteristics
The various communication protocols that could be used to connect the devices in a smart-connected home necessitate using bridges, hubs, or gateways. A device may also use a proprietary protocol (e.g., non-IP-based) locally and a standard protocol to connect to the cloud. Because of these factors and hardware limitations, network engineers may choose weaker encryption schemes.
Wearables, for example, can join or leave the home network anytime and from anywhere. This necessitates the development of robust security algorithms and makes tracking and asset management difficult. Traditional security schemes are also unsuitable for home devices due to the multiprotocol communication characteristics and varying device capabilities.
Besides, remote reprogramming is required to mitigate security vulnerabilities. However, dynamic patches may not be possible for all devices because the operating system, protocol stack, or firmware may not support them. Furthermore, some devices, such as smart meters, are designed and expected to remain operational for many years without requiring component replacement or direct maintenance.