There have been a number of articles in the press about the lingering death of the smart home hub*. As Amazon Alexa and Google Home have become dominant forces in the smart home, their integration with smart plugs, switches, and other devices that utilize Wi-Fi for communications has lead to a large number of these devices being sold. Z-Wave and Zigbee devices, that require a hub for communications, appear to be falling out of favor with consumers.
Wi-Fi version 6 will eliminate many of the advantages that Z-Wave and Zigbee have as wireless communications mechanism for the smart home. However, there is one significant disadvantage that will not be eliminated; the ability of hackers to exploit vulnerabilities in Wi-Fi devices.
There is a constant battle between manufacturers trying to maintain the security of their devices and hackers trying to locate vulnerabilities they can exploit. There are too many cases of vulnerabilities being found in IoT devices.
For example, in a recent case a security researcher found that a Ring doorbell could be hacked to show faked images. Could a hacker implant a fake image and use this to gain access to a home? Not enough information has been released to really know.
Fortunately, most of these vulnerabilities get fixed before hackers have the opportunity to take advantage of them; but that isn’t always the case. With smart outlets being sold for less than $10 and smart cameras for under $20 a buyer is left wondering how much effort and expense has been made to make these devices secure and will firmware updates be made available down the road to address vulnerabilities that are found.
The Advantage of Smart Hubs in Cyberattacks
Z-Wave and Zigbee devices have a distinct advantage that they aren’t exposed to the homeowner’s network. Instead, they are hidden behind the smart hub. Because of this they are much more difficult (I would never say impossible) to hack. This is why I think it is a mistake that Amazon and Google have taken the direction of focusing on integrating with Wi-Fi smart devices. It simply reduces the security of the smart home.
Even if every light switch, outlet, and thermostat in a smart home communicated with Zigbee or Z-Wave to a smart hub there would be plenty of other smart devices that are connected to a home’s Wi-Fi network. These include smart cameras, streaming media players, TVs, smart appliances, and the list goes on. Each of these is a potential target for a hacker.
With this as a background, the question becomes, “what is the responsibility of the integrator that has recommended and installed these devices if one gets hacked and the homeowner is in some way damaged”? Imagine a “nanny cam” in a child’s room being hacked and the video turns up on a child porn site. The parents would, with reason, be enraged. The manufacturer, very possibly in China, would be a target for that rage. However, trying to sue a Chinese manufacturer after clicking on a waiver written by a team of lawyers that is countless pages long would be problematic. With that manufacturer out of reach their blame could fall to the integrator that installed their security camera system.
If you think that only cheap devices have vulnerabilities; you would be wrong. I recently started testing IoT devices using BitDefender’s home scanner. This free tool will scan a network and look for vulnerabilities in all the devices it finds. As an example, the following vulnerabilities were found in a surround sound receiver (running the manufacturer’s latest firmware) from a well respected manufacturer:
- Privilege escalation vulnerability detected on http
- Memory corruption vulnerability detected on http
- Arbitrary code execution vulnerability detected on http
- And more
Why Integrators May Be Liable for IoT Hacks
I consulted with an attorney about the potential liability of a technology integrator that sells and installs a device with vulnerabilities in a customer’s home. He agreed that if, at the time of the sale, the tools for an integrator to know about the vulnerabilities were readily available and using a tool would have shown the existence of the vulnerability, then the integrator, as an expert in technology, should have done the proper due diligence, investigated the product they were offering for sale, made the customer aware of the vulnerability and risk. If the integrator didn’t do this then they could be found negligent and held liable for damages.
Most owners of a smart home will accept the risk of adding more and more Wi-Fi smart devices into their homes because they just don’t believe they are a lucrative enough a target for a hacker to spend time on. But, the time will come when automated hacking tools will make everyone a target.
Keeping light switches, thermostats, outlets, and similar devices on a Z-Wave or Zigbee network instead of on Wi-Fi will still leave plenty of devices for a hacker to attack. But, from a numbers game, the lower the number of devices directly attached to the home’s network, the fewer targets there are, and the fewer the better. It is a shame that companies like Amazon and Google aren’t looking out more for the homeowner with their technology decisions.
For more from Jay Basen, visit his blog, Topics in Home Automation.