The Internet of Thins - Risk Analysis - Smart Thermostats
Introduction
This article talks about the internet room thermostat. This is a home-automation device
that regulates the temperature of a room, or building. They usually work by
switching the heating either on or off depending on the current temperature of
the room detected by a sensor and comparing it with a target temperature set by
the user.
The internet controlled thermostat can be
operated remotely by the user. This included turning the heating on or off,
adjusting the temperature and modifying the thermostats settings. This is
achieved by connecting the thermostat to the user’s home network, either with
Ethernet or wirelessly, most thermostats are hardwired into the network to
increase security as wireless networks can be more susceptible to threats. It can then be accessed from the internet
with a public IP just the same other devices on the network can. It can be remotely
controlled by any user who has access to the security credentials, usually a
username and password.
Two main functions are accessible remotely
to the user. Firstly the user can view the thermostats current status; this
includes the current room temperature and the heating status (on or off). Some
systems may provide the user with further information, such as estimated
heating costs or details of when the heating was last turned on or next due to
turn on etc. Secondly the system should allow the user to send information to
remotely control the heating via the internet. This may include turning it
on/off, up/down or modifying the scheduling or automation settings which
control when the heating turns on or off.
Similar devices to this include the manual
thermostat that most homes have, or did have a few years ago. This usually
allows the user to manually set an ideal temperature and a sensor monitors this
and turns the heating on or off accordingly. This however has no connectivity
functions. A similar device that does have connectivity functions would be the
internet home media system, where speakers are connected to the router, and
accessible over the internet allowing the user to remotely control their music
on internet enabled device such as a smartphone, tablet or laptop. The
connectivity aspect of this works in a similar way to that of the internet
thermostat in the way that it is connected to a LAN usually with an Ethernet
cable, or possibly wirelessly, it then has access the internet using a public
IP the user can log in remotely with a username and password.
In the future these internet thermostats
could be even more sophisticated, possible adjusting the temperature according
the weather outside combining the heating system with the window opening
system, so if it is warm outside the windows will open for a period of
time. However this will open the doors
to even more potential threats. A hacker would possibly be able to gain access
to your house by remotely opening the windows. Furthermore to this there would
be a greater risk of external factors allowing access to the building.
Potential
Security Risks
Hackers could potential bypass or crack the
authentication stage allowing them to log in and gain access to not just the
thermostat but potentially your whole home network, if it’s all connected and
not properly secured. The more smart appliances linked in your home network and
connected to the internet, the higher your attack surface, meaning that there
are more ways and a higher chance that a Black Hat can get into your system.
Even if the network has a good firewall, this is no good if the hacker can get
access through cracking the login credentials in some way such as bruit force,
spying bypassing etc.
One
big problem with the portal for controlling many smart-homes is that so many of
them have been made crawlable by search engines. This allows anyone to find
them online with a simple Google search, and from there it is usually a simple
hack to get access to their portal, which allows not just the thermostat to be
controlled, but often the lighting, door locks, security cameras and other devices.
Further to this, some companies such as Insteon, by default don’ require a
username and password! Even further to this, sensitive data can also be
accessed through having an online home-automation system, such as the users IP
address.
In late 2013 there were several reports of
people saying their Nest thermostats had been hacked, and people had been
changing the temperature of their house. Nest says that this is all fixed now,
and claims to be secure. Nest is one of the most popular smart thermostat systems,
recently bought by Google.
In the future these risks have the
potential to increase, as even more of our homes go online, not just our
heating system. A hacker or criminal could have the power to do some quite
serious damage, more than just increasing the temperature a bit. They could
gain control of your own house, allowing access to anyone, declining your
access, modifying anything and gleaning personal information that could lead to
further fraud.
STRIDE
Analysis
Spoofing Identity, as seen above, hackers can pretend to be the home owner if secure
login credentials are not implemented. The hacker can quite easily find the
login page on the internet and can then either bypass the authentication phase
with some clever processes, or alternatively crack the login using techniques
such as bruit force or installing malware or keylogers on the user’s
computer to learn about their passwords.
Once the hacker has gained access pretending to be the homeowner or user, they
will have access to everything that the homeowner would have been able to
modify.
Tampering with Data, once the hacker has gained access to the system, they have the
ability to tamper with data, potentially causing significant loss of assets for
the property owner. They could raise the energy bill out of the roof, they
could allow access to the building for unwanted intruders, they could damage or
break hardware as well as have the ability to steal further personal details
which would increase the amount of damage they could cause.
Repudiation,
it is possible for the hacker to remain anonymous. If there log ins are stored
along with the IP address, then so long as the hacker uses some form of IP
shield to clone their IP to another location, they should remain anonymous and
untraceable.
Information Disclosure, once the hacker has gained access to the control panel for the
smart house, depending on which appliances are online the hacker may be able to
gain personal information about the victim. If it is just the thermostat which
is internet connected, then this is less likely, but if the victim also has
CCTV system accessible from the internet and a system to lock/unlock doors then
the hacker could potentially do a lot of damage.
Denial of Service, depending on how the system is set up the hacker may be able to
change the log in credentials, which would allow them anytime access to the
system, but deny the home owner access to their own control panel.
Elevation of Privileges, there is only one level of privileges in this system, therefore it
is not possible for the hacker to gain any further privileges once they have
broken in to the system.
Threat
Tree Analysis for Logging in to the System
 |
| Threat Tree Analysis for Logging in to the System |
Threat
Tree Analysis for Damage once Logged in to the System
 |
| Threat Tree Analysis for Damage once Logged in to the System |
DREAD
Risk Analysis
Damage Potential, the hacker could potentially gain control of all the users
smart-house features, allowing them to increase energy consumption and bills,
gain access to their property and even steal further personal details.
Therefore the damage potential is 7/10.
Reproducibility, once the hacker has gained access to the system once, they should
be able to get in every time. There are no variable conditions which need to be
true in order for this to be reproduced, therefore the reproducibility is 9/10.
Exploitability, the hacker will require just knowledge of generic password
cracking, therefore there is an exploitability factor of 5/10.
Affected Users, everyone living in the affected house hold would be affected,
although this is likely to be a relatively small number of people. If the
system was in an office, the only people who will seriously care will be the
ones picking up the pieces. Therefore there is a rating of 3/10.
Discoverability, as the vulnerability is likely only to be cause by the hacker
using password cracking or bypassing techniques it has a discoverability factor
of 6/10.
Risk
From the above information it is possible
for us to calculate the risk factor.
Therefore the risk factor for this system
is 60%, which is reasonably low compared to the potential of other systems.
Methods
of Reducing Risk of Smart Thermostat through Secure Coding
Firstly the programmer must ensure that all
code is correct, as this will prevent insecurities, the programmer therefore
must understand everything that they have written or included. Testing is
vital, it should be done as part of the software development phase by the
developer and not all at the end. A number of different methods and techniques
should be combined to ensure that all aspects of the program work seamlessly
with no loop holes. Programmers with more experience tend to write more secure
code, and research is vital, even experienced programmers never stop learning.
A common method that hackers use to
maliciously modify the running of a program, is to write a script that runs
concurrently with the program to get, modify or remove what is currently
on the stack. It is possible also to get
the program to skip a sub routine by modifying the pointer position, for
example the hacker could skip the authentication part and gain access to a
system.
A very common floor in programs is when not
all the input has a thorough validation process. It should be noted that you
should never trust a user’s input until it has been proves as safe, it should
be revalidated every time it crosses the boundary between unsafe and safe.
Presume all sources are untrustworthy until otherwise proven. Reject everything
that is not a valid output once you’ve determined a valid patter, regular
expressions are good for doing this, and of course have a length limit. Be
especially virulent for special characters and punctuation.
It is essential that you put in place
methods to ensure stop buffer overflows as this is an easy way for hackers to
break or gain access to your system. They can occur in any memory segment.
Mitigation strategies can be used to prevent a buffer overflow.
There is of course the technique of code
injection used by many hackers, where they craft a string to create a malicious
argument for a method
Secure
Design Specification
The biggest danger of the system that
showed up during the risk analysis phase was the fact that once someone had
bypassed the log in page, which could be reasonably strait forward, they had
access to the whole system. Therefore fixing this is the top priority in the
new security requirements.
1.
A secure username and password
must be used as identification to log in
2.
There is to be no ‘forgotten
password’ feature that uses email to verify the user – it will use something
more secure such as phone number.
3.
The log in page must not be
crawlable by search engines, i.e. it must not show up in Google if the hacker
knows what to search for. It should only be able to be accessed if the user
knows the direct URL.
4.
There should be restrictions
placed on the thermostat both for temperature and time. These may be set up as custom
settings by the home owner while installing the system
5.
There should be an admin user with overriding privileges
who is notified when another user makes a significant change to the systems
settings.
Subscribe to:
Post Comments
(
Atom
)
Posts
No comments :
Post a Comment