A new study by computer scientists at William & Mary shows how burglars could potentially break into houses through smart home devices.

William & Mary computer scientists Adwait Nadkarni and Denys Poshyvanyk tested the security of a number of smart home products and found many significant vulnerabilities. Some vulnerabilities were serious enough, Poshyvanyk said, they may require smart home platforms, such as Google’s NEST, to rethink the way devices interact in the home.

The researchers are working with platform vendors like Google NEST and Philips Hue, as well as app developers and manufacturers like TP Link, to harden the platforms and increase safety for consumers.

“You don’t think of your light switch and go ‘Oh, this is a security-sensitive device,’” said Adwait Nadkarni, assistant professor of computer science at William & Mary, and primary investigator and co-author of a recent study on smart home security systems. “Millions of dollars have been put into devices like security cameras and door locks to make them impenetrable, but people haven’t paid the same attention to low-integrity devices such as light switches. Logically speaking, there shouldn’t be a way for a message to go from a light switch to a security camera, even indirectly. However, that’s not always the case, which is the crux of the issue we have here.”

Their paper, “A Study of Data Store-based Home Automation,” has been accepted to the ACM Conference on Data and Application Security and Privacy (CODASPY) and will be presented in Dallas in March. Other co-authors on the paper include William & Mary C.S. Ph.D. students Kaushal Kafle and Sunil Manandhar, as well as C.S. post-doctoral fellow Kevin Moran.

“One of the key things that attracted us to this topic is that you’re not only worried about the more traditional privacy and integrity-related attacks,” Nadkarni said. “You’re worried about the users’ physical safety.”

Nadkarni, Poshyvanyk and their graduate students evaluated the security of two popular smart home platforms, Google’s NEST and the Phillips Hue. Both systems, as well as many other smart home platforms, operate using a centralized data store. The data store serves as a kind of switchboard, which apps and devices use to communicate with each other over the internet.

The problem, Nadkarni and Poshyvanyk explained, is that a data store-based system provides hackers the ability to access all devices in the home, from light switches to security alarms. An adversary can compromise one low-integrity product, like a sprinkler or a third-party lighting app, and modify a data store variable that another high-integrity product, such as a security alarm, depends on. This can have a whole host of unwanted consequences.

“What we often find in these types of evaluations is there isn’t one easy solution,” Nadkarni said. “The challenge comes in having to look at the environment as a whole, when there isn’t exactly one main problem or flaw. What you see here with smart homes is a systemic failure, many different bits and pieces coming together to create these flaws.” 

For example, an adversary may compromise a light switch app and modify a variable that makes the security camera turn off when a burglary is in process. Such an attack is called a lateral privilege escalation, where one uses a low-integrity device to compromise any high-integrity devices that connect to the same smart home.

“There is so much you can do as a hacker in the context of this system,” Poshyvanyk said. “It’s a design issue, which means the system basically needs to be redesigned for it to be fully protected. For software developers, this centralized data store solution is very easy to implement, so that could be one of the reasons why it was part of the original design. It’s a very straight forward, simple implementation, but we can see that it’s ineffective from a security point of view.”

The researchers identified ways an acquaintance can burglarize a smart home-enabled house with without being detected. The burglar only needs access to the same public internet network (like connecting to the same Starbucks wifi) as the homeowner to temporarily disable the smart home’s security system.

Poshyvanyk and Nadkarni successfully executed such an attack using a NEST smart home system set up in their IoT lab. They changed the system’s settings to indicate the owner was home when they were not, therein disabling the security camera. The researchers quickly alerted smart home companies to the vulnerability. TP Link’s Kasa switch, which was a stepping stone in performing the attack, has since been updated, preventing that specific instance of attack described in the study. 

Poshyvanyk says these kinds of vulnerabilities come with the territory. He places blame on the industry as a whole, not any individual company. Tech companies today are all in a race to be first to release a new product -- and that often comes at a price.

“I’m afraid market pressure is the driving force here,” he said. “The problem is manufacturers race to release these systems without having a good understanding of how they will be used in the wild. Users do things the companies did not expect them to do, because that’s how users are. It’s kind of a chicken and egg problem. You don’t know until it’s too late.”