Even encrypted home automation systems say a lot about you!
July 25, 2014 - Regulating heating systems to save energy, adjusting lighting levels based on the time of day, watering houseplants automatically, raising or lowering blinds at the required times... the benefits of today’s smart home automation systems are numerous and becoming increasingly popular. However, studies by Christoph Sorge and his research team at Saarland University show these wireless systems also pose a security risk.
By Anthony Capkun
“Many of the systems do not provide adequate security against unwanted third-party access and, therefore, threaten the privacy of the inhabitants,” said Sorge, an expert for IT security, data protection and encryption technology (photo © UdS).
For the purposes of their study, researchers took on the role of a malicious attacker. “Using a simple mini-PC—no bigger in size than a packet of cigarettes—we eavesdropped on the wireless home automation systems (HASs) of two volunteers, and were thus able to determine just how much information a conventional wireless HAS reveals about its user,” explained Sorge.
No other information about the users was available to the research group. The result? “Non-encrypted systems provide large quantities of data to anyone determined enough to access the data, and the attacker requires no prior knowledge about the system, nor about the user being spied on,” said Sorge.
“The data acquired by the attacker can be analyzed to extract system commands and status messages, items which reveal a lot about the inhabitants’ behaviour and habits. We were able to determine absence times and to identify home ventilation and heating patterns,” explained Sorge. The analysis enabled the research group to build up profiles of the inhabitants.
Even systems that use encryption technology can supply information to third parties: “The results indicate that, even when encrypted communication is used, the number of messages exchanged is enough to provide information on absence times,” said Sorge. Potential attacks can be directed against the functionality of the system or the privacy of the inhabitants. “An attacker with malicious intent could use this sort of information to plan a burglary,” Sorge concluded.
“A great deal still needs to be done to make wireless home automation systems secure. Improved data encryption and concealment technologies would be an important step towards protecting the privacy of HAS users,” Sorge concluded.