The Internet of Thins - Risk Analysis - Smart Thermostats



Introduction
This article talks about the internet room thermostat. This is a home-automation device that regulates the temperature of a room, or building. They usually work by switching the heating either on or off depending on the current temperature of the room detected by a sensor and comparing it with a target temperature set by the user.

The internet controlled thermostat can be operated remotely by the user. This included turning the heating on or off, adjusting the temperature and modifying the thermostats settings. This is achieved by connecting the thermostat to the user’s home network, either with Ethernet or wirelessly, most thermostats are hardwired into the network to increase security as wireless networks can be more susceptible to threats.  It can then be accessed from the internet with a public IP just the same other devices on the network can. It can be remotely controlled by any user who has access to the security credentials, usually a username and password.

Two main functions are accessible remotely to the user. Firstly the user can view the thermostats current status; this includes the current room temperature and the heating status (on or off). Some systems may provide the user with further information, such as estimated heating costs or details of when the heating was last turned on or next due to turn on etc. Secondly the system should allow the user to send information to remotely control the heating via the internet. This may include turning it on/off, up/down or modifying the scheduling or automation settings which control when the heating turns on or off.

Similar devices to this include the manual thermostat that most homes have, or did have a few years ago. This usually allows the user to manually set an ideal temperature and a sensor monitors this and turns the heating on or off accordingly. This however has no connectivity functions. A similar device that does have connectivity functions would be the internet home media system, where speakers are connected to the router, and accessible over the internet allowing the user to remotely control their music on internet enabled device such as a smartphone, tablet or laptop. The connectivity aspect of this works in a similar way to that of the internet thermostat in the way that it is connected to a LAN usually with an Ethernet cable, or possibly wirelessly, it then has access the internet using a public IP the user can log in remotely with a username and password.

In the future these internet thermostats could be even more sophisticated, possible adjusting the temperature according the weather outside combining the heating system with the window opening system, so if it is warm outside the windows will open for a period of time.  However this will open the doors to even more potential threats. A hacker would possibly be able to gain access to your house by remotely opening the windows. Furthermore to this there would be a greater risk of external factors allowing access to the building.




Potential Security Risks
Hackers could potential bypass or crack the authentication stage allowing them to log in and gain access to not just the thermostat but potentially your whole home network, if it’s all connected and not properly secured. The more smart appliances linked in your home network and connected to the internet, the higher your attack surface, meaning that there are more ways and a higher chance that a Black Hat can get into your system. Even if the network has a good firewall, this is no good if the hacker can get access through cracking the login credentials in some way such as bruit force, spying bypassing etc.

 One big problem with the portal for controlling many smart-homes is that so many of them have been made crawlable by search engines. This allows anyone to find them online with a simple Google search, and from there it is usually a simple hack to get access to their portal, which allows not just the thermostat to be controlled, but often the lighting, door locks, security cameras and other devices. Further to this, some companies such as Insteon, by default don’ require a username and password! Even further to this, sensitive data can also be accessed through having an online home-automation system, such as the users IP address.

In late 2013 there were several reports of people saying their Nest thermostats had been hacked, and people had been changing the temperature of their house. Nest says that this is all fixed now, and claims to be secure. Nest is one of the most popular smart thermostat systems, recently bought by Google.

In the future these risks have the potential to increase, as even more of our homes go online, not just our heating system. A hacker or criminal could have the power to do some quite serious damage, more than just increasing the temperature a bit. They could gain control of your own house, allowing access to anyone, declining your access, modifying anything and gleaning personal information that could lead to further fraud.

STRIDE Analysis
Spoofing Identity, as seen above, hackers can pretend to be the home owner if secure login credentials are not implemented. The hacker can quite easily find the login page on the internet and can then either bypass the authentication phase with some clever processes, or alternatively crack the login using techniques such as bruit force or installing malware or keylogers on the user’s computer  to learn about their passwords. Once the hacker has gained access pretending to be the homeowner or user, they will have access to everything that the homeowner would have been able to modify.

Tampering with Data, once the hacker has gained access to the system, they have the ability to tamper with data, potentially causing significant loss of assets for the property owner. They could raise the energy bill out of the roof, they could allow access to the building for unwanted intruders, they could damage or break hardware as well as have the ability to steal further personal details which would increase the amount of damage they could cause.

Repudiation, it is possible for the hacker to remain anonymous. If there log ins are stored along with the IP address, then so long as the hacker uses some form of IP shield to clone their IP to another location, they should remain anonymous and untraceable.   

Information Disclosure, once the hacker has gained access to the control panel for the smart house, depending on which appliances are online the hacker may be able to gain personal information about the victim. If it is just the thermostat which is internet connected, then this is less likely, but if the victim also has CCTV system accessible from the internet and a system to lock/unlock doors then the hacker could potentially do a lot of damage.

Denial of Service, depending on how the system is set up the hacker may be able to change the log in credentials, which would allow them anytime access to the system, but deny the home owner access to their own control panel.               

Elevation of Privileges, there is only one level of privileges in this system, therefore it is not possible for the hacker to gain any further privileges once they have broken in to the system.


Threat Tree Analysis for Logging in to the System
Threat Tree Analysis for Logging in to the System

Threat Tree Analysis for Damage once Logged in to the System

Threat Tree Analysis for Damage once Logged in to the System






DREAD Risk Analysis
Damage Potential, the hacker could potentially gain control of all the users smart-house features, allowing them to increase energy consumption and bills, gain access to their property and even steal further personal details. Therefore the damage potential is 7/10.

Reproducibility, once the hacker has gained access to the system once, they should be able to get in every time. There are no variable conditions which need to be true in order for this to be reproduced, therefore the reproducibility is 9/10.

Exploitability, the hacker will require just knowledge of generic password cracking, therefore there is an exploitability factor of 5/10.

Affected Users, everyone living in the affected house hold would be affected, although this is likely to be a relatively small number of people. If the system was in an office, the only people who will seriously care will be the ones picking up the pieces. Therefore there is a rating of 3/10.

Discoverability, as the vulnerability is likely only to be cause by the hacker using password cracking or bypassing techniques it has a discoverability factor of 6/10.


Risk
From the above information it is possible for us to calculate the risk factor.

Therefore the risk factor for this system is 60%, which is reasonably low compared to the potential of other systems.

Methods of Reducing Risk of Smart Thermostat through Secure Coding
Firstly the programmer must ensure that all code is correct, as this will prevent insecurities, the programmer therefore must understand everything that they have written or included. Testing is vital, it should be done as part of the software development phase by the developer and not all at the end. A number of different methods and techniques should be combined to ensure that all aspects of the program work seamlessly with no loop holes. Programmers with more experience tend to write more secure code, and research is vital, even experienced programmers never stop learning.

A common method that hackers use to maliciously modify the running of a program, is to write a script that runs concurrently with the program to get, modify or remove what is currently on  the stack. It is possible also to get the program to skip a sub routine by modifying the pointer position, for example the hacker could skip the authentication part and gain access to a system.

A very common floor in programs is when not all the input has a thorough validation process. It should be noted that you should never trust a user’s input until it has been proves as safe, it should be revalidated every time it crosses the boundary between unsafe and safe. Presume all sources are untrustworthy until otherwise proven. Reject everything that is not a valid output once you’ve determined a valid patter, regular expressions are good for doing this, and of course have a length limit. Be especially virulent for special characters and punctuation. 

It is essential that you put in place methods to ensure stop buffer overflows as this is an easy way for hackers to break or gain access to your system. They can occur in any memory segment. Mitigation strategies can be used to prevent a buffer overflow.

There is of course the technique of code injection used by many hackers, where they craft a string to create a malicious argument for a method


Secure Design Specification
The biggest danger of the system that showed up during the risk analysis phase was the fact that once someone had bypassed the log in page, which could be reasonably strait forward, they had access to the whole system. Therefore fixing this is the top priority in the new security requirements.

1.       A secure username and password must be used as identification to log in
2.       There is to be no ‘forgotten password’ feature that uses email to verify the user – it will use something more secure such as phone number.
3.       The log in page must not be crawlable by search engines, i.e. it must not show up in Google if the hacker knows what to search for. It should only be able to be accessed if the user knows the direct URL.
4.       There should be restrictions placed on the thermostat both for temperature and time. These may be set up as custom settings by the home owner while installing the system

5.        There should be an admin user with overriding privileges who is notified when another user makes a significant change to the systems settings.

No comments :

Post a Comment