Smart home devices make everyday life easier and are now really hip. Especially since the mix of different devices and the perfect interaction with only a few or even only one central control application is really fun and makes for astonished faces at the next family get-together. It all looks so simple, and it is. Even tech-savvy, older users are embracing the convenience of using voice commands to control the lights in their smart home. And so it’s also easy to answer the question about the most sought-after smart home gadgets. Correct! Smart lamps. In the future, home automation will continue to increase. New builders are also more open to technology that makes everyday life easier and want to be up to date at all times. It therefore makes sense to have the lawn mowed by a robot in the future. He receives the command conveniently via smartwatch, among other things. But as nice and simple as smart technology is, users have to pay attention to a number of security aspects now and in the future. With just a few tips, you can make your smart home safe from hacker attacks.
"I don’t care if hackers, Google or the U.S. know when we turn the lights on and off at home via our Echo. After all, we have nothing to hide."This statement should be well known. I’m sure one or two of you have already made use of it as well. Security experts would respond to this as follows: "That’s right and also perfectly legitimate. However, hackers are not primarily concerned with this type of data. Rather, they exploit vulnerabilities in the smart speakers and devices to create a botnet. Attackers then use this network of hundreds of thousands of interconnected devices to paralyze websites or entire portals, for example, or to attack servers at universities and the like."
The issue with the secure, varying and changeable password
To prevent this, or at least to make it more difficult for hackers, it is worthwhile to use a more sophisticated password when setting up the devices. The password should also always vary and not be the same. Passwords should also be changed at least once a year. It is understandable that this takes a certain amount of time. But it is worth it!
If you buy cheap, you buy insecure
Another aspect that leads to more security for smart home devices is the look behind the scenes. Who is behind the device production? And what security protocols are used? There are providers of smart home systems who, for example, rely on recognized procedures such as AES-128 and CCM. These are security methods that are also used for online banking. Whoever equips his product with these security precautions and then gets the green light from the Association of Electrical Engineers (VDE), will also advertise with it and is far ahead in the point of security.
A secure router is half the battle
The interface to the smart refrigerator, the set-top box, the intelligent heating control, etc. is the home router. The devices communicate with each other via the WLAN network. This is also where data exchange and communication take place. If the router is outdated or contaminated with viruses or Trojans, hackers have an easy time of it. The German Federal Office for Information Security (BSI) has therefore joined forces with manufacturers to ensure greater security in the future. Technical guidelines were developed, which routers should fulfill. Among other things, this includes the possibility to provide the router with updates in order to close critical security gaps quickly and effectively. It is also strongly recommended to implement a firewall. Anyone with an older router in use should find out if it still meets the new guidelines. For this purpose, a request can also be made to the provider if a router is used together with an Internet usage contract. And a secure password is also required for the router. The following point plan also applies to this:
- 1. The default password for the router should be changed when setting up the device
- 2. It is important to ensure that the new WLAN password is at least 20 characters long
- 3. The choice of parameters should consist of a mix of large, small letters and special characters as well as numbers
- 4. An extra password should be chosen for each smart home device
If you are going on vacation and will not be at home for some time, we advise you to disconnect your router from the network.
Interpret suspicious signs correctly
If the smart home device simply switches itself off, even though no command was issued by the authorized user, then an unwanted intermediary could have interposed itself here. Acutely shortened battery life can also indicate that background processes are running that were not intended by the manufacturer in this way.
Entertainment apps on smart speakers with deceptive backdoor
To keep the smart Amazon Echo or Google Speaker happy, applications (also called skills) are increasingly multiplying. Researchers at the Berlin Security Research Labs (SRLabs) have succeeded in creating a horoscope application for Amazon’s smart home speaker, which on the one hand has a large circle of interested parties and on the other hand has also been classified and approved as "harmless" by Amazon. After the release, the researchers snuck in a bug function. This was achieved by changing the code after the release by Amazon. If users installed the skill and wanted to access it, they only received the answer: "This function is currently not available in your country". After that it became quiet. The user was told that the device was inactive. A little later, Alexa then announced that an important security update was available for the device. This command was also initiated by the researchers beforehand. If users then told Alexa to start the update and subsequently entered their password, this was transmitted to the researchers at the same time. In order to activate the interception function, even up to 2.500 terms possible. The following video clip shows how the whole thing worked.
YouTube always unlock
The researchers confronted Amazon with the security vulnerability and the internet giant immediately responded by adjusting its skill certification system. With the following tips, you can protect yourself as a user from the eavesdropping spy:
- 1. Check new apps or skills before installing and using them and disclose as little personal data as possible
- 2. Never tell the password by voice prompt to the voice assistant or mail form
- 3. "Use messages to improve recordings" and "Help develop new features" should be turned off manually in the Alexa app
- 4. If Alexa is not supposed to listen, press the microphone-off button on the housing (red light ring illuminates)
- 5. Delete Alexa search history in the Alexa app if certain information was unintentionally stored in the search history
To repurpose the Google Home speaker as a bug, SRLabs researchers didn’t even have to define a trigger word. For this, it was only enough to name a number to start the eavesdropping function. For this purpose, the researchers introduced a random number generator as a Google Action application. If the users received their random number, "Goodbye" sounded over the Google Speaker and the impression was given that it was turned off. In reality, however, the speaker then started to record everything said in the sequence. The following tips will protect you from unauthorized eavesdropping by third parties:
- 1. It is recommended to regularly delete the search history on Google Home
- 2. On myactivity.google.com everyone can see what Google knows about you / there you can also delete your own search history and visited pages ("delete activities after")
Google Home Hack in video
Always unlock YouTube
Put Amazon Echo and co away from the window
What sounds like a joke, unfortunately, is not so funny at all. Recently, researchers at the University of Michigan have managed to activate Amazon’s Alexa, Google’s Assistant and also Siri via laser beam on smart speakers and smartphones without the user being aware of it. To exploit the vulnerabilities of smartphones and smart speakers, attackers would only need to be near the devices. It is sufficient to use a 60-milliwatt laser for this purpose. In the infrared range it would be invisible even to the human eye. With this laser power, the researchers were able to address target devices from a distance of 50 meters. Such lasers are used for example in stage shows. According to the researchers, the reason for this is that the microphones of smart speakers and smartphones react to high-frequency light pulses. Over these pulsating beams, voice commands and also sound sequences could be transmitted to the target devices. The researchers do not yet know exactly why the devices react to the light effect. It is assumed that semiconductor devices are reached by the lasers, which react to them in a similar way to photodiodes. According to the researchers, there is still no sufficient protection against such attacks.
Device manufacturers therefore advise placing smart speakers out of the line of sight and away from window areas. The researchers recommended the manufacturers of the devices to protect the devices with light shields or to adapt the devices in such a way that voice input is only possible via two built-in microphones. Security products such as smart door locks should not only be connected to a smart assistant, but also rely on voice pin input in addition. However, this is a cause for concern if there are other devices listening in the smart home.