Computer security has become a major concern during the COVID-19 pandemic. A surge in cyber-attacks have put health organizations and hospital complexes on the defensive, and even the World Health Organisation has suffered a serious (though unsuccessful) attempt at information theft by hackers. Ordinary citizens are having to deal with an increase in attempts at fraud, phishing and password theft, especially through fraudulent websites that allegedly offer information and remedies related to the coronavirus, but also through a security hole in the popular video conferencing software Zoom, which millions and millions of people have downloaded in recent weeks in order to work and to keep in touch with their loved ones during confinement.
All these risks are combined with a very unique situation in which people are making particularly intensive use of their computers and mobile devices from their homes. They connect to the Internet through domestic Wi-Fi networks that are easily attacked, and even more so since home automation devices and household appliances are now cyber-connected, which has opened up new pathways through which cyber-attacks can occur. Here we explore the latest solutions designed to provide more security in this modern technological era.
The weakest link in the smart home
The problem with home automation devices —such as smart thermostats and Wi-Fi connected plugs or light bulbs— is that in order to be remotely controlled, when we are away from home, they need to be connected to the Internet and accessible (directly or indirectly) from outside our home network. They are usually devices without a great deal of sophistication in their hardware and software, are simple to use and easy to configure. The usual process is through a smartphone app, which detects them and provides them with the password of the home Wi-Fi network so they can connect to it.
To make this process simple, a home automation device announces itself on the network, as if it were raising its hand to identify itself, and this can attract the attention of hackers. “It’s helpful for the devices to communicate what they do, but that opens up vulnerabilities. The choice of protocols affects not only the device, but also the security of the network on which it is running,” warns researcher Chaz Lever of the Georgia Institute of Technology (USA). His team has evaluated the vulnerability of the most popular home automation gadgets and has drawn up a ranking, rating their security in four aspects: that of the device itself, that of its communications within the home network, that of the mobile app and that of the cloud service employed in order to have remote control from outside the home.
Routers with home automation security
The authors of this comparison explain that they have observed a striking variability in security, depending on how much the manufacturer of the smart device has invested in hardware and software to protect and encrypt their communications. For the tech giants that promote the most popular home automation systems —such as Amazon’s Alexa or Apple’s HomeKit— this situation is a serious problem that threatens the reliability of their platforms.
The most immediate way to deal with these vulnerabilities is to strengthen the security of the router, the control centre of the domestic Wi-Fi network. Amazon made a move in February 2019 when it acquired the company Eero, a pioneer in the field of mesh routers. This technology is designed to achieve a powerful Wi-Fi signal that reaches every corner of the home (linking several modules installed in different rooms), which solves one of the most common problems of traditional routers. In addition to this feature and the simplicity of configuration (with a mobile app) —a common point in the mesh systems of this and other manufacturers— Eero had stood out for adding to its routers as a standard feature a transport layer security system (TLS) to encrypt communications, and also for offering a subscription service that protects all computers, mobiles and intelligent gadgets on the home network from viruses, malicious websites and attacks.
The next move came from Apple at its software developer conference in June 2019, where it announced that it would adapt its home automation control system (HomeKit) to integrate routers from manufacturers such as Linksys or even Eero. In the end, this compatibility arrived in early 2020. Its main use is that it adds a firewall to each of the home automation devices present in the dwelling, meaning that if one of them were to be controlled by a cyber-attack, it would not be able to access the rest of the home network or get at any personal information.
A common umbrella providing more security
The third step towards bringing an end to the insecurity and the incompatibilities between the multiple home automation systems came about in December 2019, when Google, Amazon and Apple joined forces to promote the establishment of a standard home automation system: Project Connected Home over IP (CHIP), which also includes other large manufacturers of smart accessories such as Philips, IKEA, Legrand, Samsung and Schneider. Apple then opened portions of the source code of its HomeKit system, “to accelerate the development of the new universal standard,” while Google provided key technologies to establish “direct, private and secure end-to-end communications among devices, mobiles, and cloud services. This approach reduces points of attack and weakness.”
The specification of this standard should be completed by the end of 2020. As a result, starting in 2021, the first devices of a new generation of home automation accessories will roll off the assembly lines, more compatible and more secure. Together with new routers designed to add protection, these devices hold the promise of Internet connected homes that are better able to resist cyber-attacks. Meanwhile, security experts recommend a number of measures to secure home Wi-Fi networks: changing the default router management password, using a different password to secure each home automation device, updating the firmware of those accessories frequently, and enabling two-factor authentication when possible. Basically, our defence for the moment is focused on improving our habits with security keys; to this end, apps to manage passwords are very helpful.
One more design change in our (digital) lives in these times of pandemic.