Security in the Smart Homes
Security in the Smart Home is an important topic.
Security concerns include the danger that the private home and the personal life is visible on the internet for hackers but also for energy suppliers or other intelligence organisations. People are also concerned that attackers may turn their lights on or off or even unlock their door enabling burglars to get into the house.
General Information about security and typical attacks
In general security in information technology means the protection against possible attacks:
- A third party gets access to private data
- A third party can act on behalf of the attacked person
- The information technology fictions are made unavailable for the user- usually referred as Denial of Service.
There are two common methods to protect data that is exchanged in public networks such as the internet:
- Encryption of data
- Authentication & Authorization
Encryption and Replay-Attacks
The control of actions in Smart Homes only uses a small data packet compared to large packets with private content for data communication in information technology. The content of the data packers is even standardized and therefore there is not much to hide.
An encryption of these already known data not provide any further security against attacks. A hacker not invest time and effort to decrypt a packet since he likely knows the content.
The real thread is that a hacker is capturing the packet and resents it at the wrong moment. In case the attacker is able to refer the data packet to a visible action in the hose (i.e. opening a door) this becomes either a dangerous or an annoying attack method. In such an attack it is irrelevant whether or not the data were encrypted or not.
An attack, can capture a digital signal and re-transmits it after some time it is called REPLAY attack and can not be prevented by encryption
The only way to protect Smart Homes from REPLAY attacks is to use one-time keys that change with every transaction. In this case the captured packed is worthless because the key authorizing the command becomes invalid, either after its use by the authorized sender or after some time.
The one time password or key is referred to as NOUNCE. It is the same technology that is used to protect online banking transaction.
Here the NOUNCE is called TAN (transaction authorization number).
Using a TAN or a NOUNCE effectively protects data communication from REPLAY attacks.
However other ways to attack a connection:
- The way NUONCE are created is known. In this case the attacker can recreate the NOUNCE for his attack. This thread can be compared with a public TAN generator for banking transactions.
- The NUONCE is captured and does not reach the receiver. In this case an attacker can use the NUONCE within the time our period to authorize a malfunction packet by claiming to be the authorize sender. This attack is also known as Man-In-The-Middle attacks. On top of this the legitimate sender must be authenticated. The PIN/TAN approach is an implementation of this approach for online banking.
The best performance of NOUNCE is achieved if they are not dependant on each other at all they can be randomly generated every time are used. This created a very good protection of the communication but creates the need to transport the NOUNCE, generated by the receiver, to the transmitter. It's possible to transport the NOUNCE on the same way the real data is transported if and only if the communication is sufficiently encrypted. Since the NOUNCE is only transported one time there is no chance for a REAPLY attack. The encryption does not even have to be too strong. It's sufficient to delay the possible use do the NOUNCE be the attacker to the moment the legal transmitter has uses it. After this moment the NOUNCE is invalid and useless.
An other well-Known attack method is the so-called Denial-of-Service attack. Here the goal of the attacker is not to get access to private data or act on behalf of an attacked person but to suppress any successful communication. Denial-of-Service is destructive attack method.
In wireless communication it is impossible to have 100% protection against Denial-of-Service attacks. This is true for all control of a Smart Homes but also for cell phone and WLan traffic.
The higher protection against Denial-of-Service is often cited argument for wired communication in a Smart Homes. The argument is valid but incomplete since mobile phones and WLAN Internet are still used wireless communication methods vulnerable to Denial-of-Service.
The reason that these techniques are vulnerable are quite simple: It is equally easy to built a Denial-of-Service attack method for WLAN or Cell phone but the fun and the benefit for the attacker is limited. It's neither possible to perform any public event (like turning off on a certain street etc.) nor does it provide any tangible advantage like getting into a home.
Further aspects of a wireless security
Another inherent protection against Denial-of-Service and Man-in-The-Middle is limitation of wireless range.
Z-Wave as an example does even use the maximum allowed transmitting power of 25 mW but sends out signals with few mW only. The wireless range outside the house is therefore limited to about 100m. The lover wireless range of Z-Wave is compensated by the capability to use devices as routers. A high transmitting power of a wireless technology increases the vulnerability to attacks. In case the signal does not go far beyond the own home, an attacker need to be close to the home to preform the attack.
Last but not least an important part of the security discussion in wireless networks is the cost/benefit ratio. The often-cited Chinese hacker that gets access to the energy consumption data of a washing machine on a German hose holds is simple not very meaningful scenario. A hacker, 1000 km away does not have any tangible benefit from hacking into a homes infrastructure.
He will invest his criminal energy in more profitable projects like hacking the same persons bank account. Being in fron of a home gives more options for attack but even here a stone is cheaper and easier to get than a complicated jamming electronics, not even mentioning the fact that the knowledge about how to throw a stone is easier to obtain than the knowledge how to built a jamming transmitter.
The security concept of a Z-Wave
The security system of a Z-Wave is based on three layers
All data of a Z-Wave communication is encrypted. However the line encryption is published and easy to break. A simple logic analyzer fro few thousand dollar ply proximity to the target is sufficient to break the level of protection.
In Z-Wave commands are only accepted from Known nodes within the own network (inclusion for sensitive devise is encrypted, so already we have three levels of protection). An attacker that wants to send an unauthorized command to a given Z-Wave nodes must copy the behavior of device existing in the network. This is technically possible but requires some soli knowledge about Z-Wave that goes well beyond to a normal attacker.
Z-wave has another very comprehensive NOUNCE based security layer that uses AES (Advanced Encryption Standard -recommended and used for safe transactions by the US federal government) as encrypt ions standard. NOUNCE are generated randomly and expire shortly after sending from the receiver to the sender to authorize a command. If implemented correctly this security architecture can't be successfully attacked with contemporary knowledge. Due to the necessary exchange of a NOUNCE prior to any communication the Z-Wave security architecture create some communication overhead. Therefore the use of this architecture is only mandatory for security related like doors locks, alarm systems arm/disarm controllers or roof window opener.
Cost of security
In Z-Wave the encryption of data messages is done by the hardware. The Z-Wave transceiver has and AES encryption core embedded. Encryption will therefore not introduce any further delay and only minimal extra power consumption. The real cost is latency.
Read other resources on the web