Home Automation Security: Is it too late?

By

In a casual conversation with my realtor friend, I learned that many upscale tract builders now include home automation to increase margin. We’ve come a long way since the X10 days.

Home automation is still a splintered industry. No end-to-end solutions exist. There are, of course, the commercial integrators targeting custom estates with project cost measured in the percentage of home values.

The value of these integrators is that these specialized vendors found various sub-systems that work well together. These solutions are often around for decades. The security works by virtue of being discrete systems interconnected via serial copper links, some with odd protocols like bit banging. These are easy to hack, but one needs physical access. We have not heard of many breaches for that reason.

Apple, Amazon Change the Game

But with Apple HomeKit and Amazon Echo, the world changed dramatically. From a vendor’s perspective, solutions such as HomeKit significantly decrease the complexity of a product. A HomeKit vendor only focuses on contributing a small part of a solution, which can be as small as a single light bulb. HomeKit brings it all together.

Some devices have built-in Ethernet or Wi-Fi interfaces, but many speak some proprietary wired or wireless protocols and use a small device called a “bridge” or a “hub” to translate to a central controller. I actually like the bridge approach. It brings many legacy players into the consumer arena with very solid solutions.

Echo and HomeKit are not the only controllers in town. There are many many other products from old dogs, such as HomeSeer, to new vendors, like Wink, popping up each day. Some are already exiting. Any of these devices can be grouped into on-prem and cloud solutions.

Home automation: On-prem or in the cloud

On-prem controllers theoretically can be deployed with air-gap. They do not need internet access other than for optional remote access and software updates, and perhaps initial licensing. Cloud controllers need internet access to work. If you lose access to the internet, devices stop working.

Complexity doesn’t end there. Since vendors came up with bridges and hubs, it does not cost them much more to add out-of-the box siloed cloud access, giving consumers an instant plug-and-play experience without the need of a controller. Consumers appreciate the ease of deployment, but need an app for each island.

Geeks like me appreciate the APIs into these bridges, which provide the same benefits as systems that used to cost into the tens of thousands of dollars.

3 Best Practices for Home Automation Security

How do we secure all of this? Because of the diversity of systems around, I cannot give a flat response. Here are some basic tips:

  1. Unique emails and passwords. First, give anything with cloud access a very secure password registered to an email account that is not used for anything else and not generally known.
  2. Secure and segment Wi-Fi access. Secure the home network very thoroughly with a strong Wi-Fi password. Add an isolated guest network for devices outside the family. This goes, of course, with solid perimeter controls, such as gateway antivirus (GAV) and intrusion prevention systems (IPS).
  3. Implement network isolation. This can be challenging. Many systems need client devices — smart phones, bridges and controllers — to all be in the same broadcast domain.For instance, HomeKit uses an Apple TV as a remote access hub to HomeKit devices within the broadcast domain.  Firewalls can be still deployed here, but in L2 bridged mode. Luckily, bridges typically use HTTPS, SSH, telnet and HTTP to communicate, in that order. Occasionally, you see some odd sockets. But, mostly, we can control them via SPI rules and apply IPS on common services. L2 segmentation is the key word here, such as Native Bridge support in SonicOS 6.5.

It will be very exciting to observe the consumer home automation industry mature — both from capabilities and security. You will hear more from us in the coming quarters as SonicWall takes a special interest in IoT.

SonicWall Staff