Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireAccess ManagementPhysical SecurityVideo SurveillanceCybersecurity News

Study Shows How Burglars Could Hack Smart Sprinkler to Disable Alarm

Doorway to Cybersecurity
December 13, 2018

A new study by computer scientists at William & Mary shows how burglars could potentially break into houses through smart home devices.

William & Mary computer scientists Adwait Nadkarni and Denys Poshyvanyk tested the security of a number of smart home products and found many significant vulnerabilities. Some vulnerabilities were serious enough, Poshyvanyk said, they may require smart home platforms, such as Google’s NEST, to rethink the way devices interact in the home.

The researchers are working with platform vendors like Google NEST and Philips Hue, as well as app developers and manufacturers like TP Link, to harden the platforms and increase safety for consumers.

“You don’t think of your light switch and go ‘Oh, this is a security-sensitive device,’” said Adwait Nadkarni, assistant professor of computer science at William & Mary, and primary investigator and co-author of a recent study on smart home security systems. “Millions of dollars have been put into devices like security cameras and door locks to make them impenetrable, but people haven’t paid the same attention to low-integrity devices such as light switches. Logically speaking, there shouldn’t be a way for a message to go from a light switch to a security camera, even indirectly. However, that’s not always the case, which is the crux of the issue we have here.”

Their paper, “A Study of Data Store-based Home Automation,” has been accepted to the ACM Conference on Data and Application Security and Privacy (CODASPY) and will be presented in Dallas in March. Other co-authors on the paper include William & Mary C.S. Ph.D. students Kaushal Kafle and Sunil Manandhar, as well as C.S. post-doctoral fellow Kevin Moran.

“One of the key things that attracted us to this topic is that you’re not only worried about the more traditional privacy and integrity-related attacks,” Nadkarni said. “You’re worried about the users’ physical safety.”

Nadkarni, Poshyvanyk and their graduate students evaluated the security of two popular smart home platforms, Google’s NEST and the Phillips Hue. Both systems, as well as many other smart home platforms, operate using a centralized data store. The data store serves as a kind of switchboard, which apps and devices use to communicate with each other over the internet.

The problem, Nadkarni and Poshyvanyk explained, is that a data store-based system provides hackers the ability to access all devices in the home, from light switches to security alarms. An adversary can compromise one low-integrity product, like a sprinkler or a third-party lighting app, and modify a data store variable that another high-integrity product, such as a security alarm, depends on. This can have a whole host of unwanted consequences.

“What we often find in these types of evaluations is there isn’t one easy solution,” Nadkarni said. “The challenge comes in having to look at the environment as a whole, when there isn’t exactly one main problem or flaw. What you see here with smart homes is a systemic failure, many different bits and pieces coming together to create these flaws.” 

For example, an adversary may compromise a light switch app and modify a variable that makes the security camera turn off when a burglary is in process. Such an attack is called a lateral privilege escalation, where one uses a low-integrity device to compromise any high-integrity devices that connect to the same smart home.

“There is so much you can do as a hacker in the context of this system,” Poshyvanyk said. “It’s a design issue, which means the system basically needs to be redesigned for it to be fully protected. For software developers, this centralized data store solution is very easy to implement, so that could be one of the reasons why it was part of the original design. It’s a very straight forward, simple implementation, but we can see that it’s ineffective from a security point of view.”

The researchers identified ways an acquaintance can burglarize a smart home-enabled house with without being detected. The burglar only needs access to the same public internet network (like connecting to the same Starbucks wifi) as the homeowner to temporarily disable the smart home’s security system.

Poshyvanyk and Nadkarni successfully executed such an attack using a NEST smart home system set up in their IoT lab. They changed the system’s settings to indicate the owner was home when they were not, therein disabling the security camera. The researchers quickly alerted smart home companies to the vulnerability. TP Link’s Kasa switch, which was a stepping stone in performing the attack, has since been updated, preventing that specific instance of attack described in the study. 

Poshyvanyk says these kinds of vulnerabilities come with the territory. He places blame on the industry as a whole, not any individual company. Tech companies today are all in a race to be first to release a new product -- and that often comes at a price.

“I’m afraid market pressure is the driving force here,” he said. “The problem is manufacturers race to release these systems without having a good understanding of how they will be used in the wild. Users do things the companies did not expect them to do, because that’s how users are. It’s kind of a chicken and egg problem. You don’t know until it’s too late.”

KEYWORDS: cybersecurity hackers Internet of Things smart home

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • retail3-900px.jpg

    Study Shows How Millennials Breathe Life into Retail

    See More
  • Security newswire default

    Study Shows How Security Impacts Employee Productivity

    See More
  • university responsive default security

    Study Shows How Campus Scandals Affect Campus Enrollment

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing