Hue and smart-home security generally

robindch

I was prompted by this post to get back to the question of how secure anybody's smart home is.

At my place, I've a bunch of Hue lightbulbs, a HeatMiser system which is about 50% working, a disconnected (experimental) Canary security camera and a few smart plugs on the way to control the electrical input to the immersion heater and the boiler overall. At best, security appears to be an afterthought with all of these systems, where it's present at all.

Problems are:

1. Hue - the recent worm attack is a problem for the underlying Zigbee protocol. At the app level, in order to activate your lights from outside your home, you must either (a) expose them to the internet and risk criminals knowing everything about your lights (ransom against damage/random usage, drop-in crime when lights are off, figuring out which houses have the largest installations); or (b) login to the Hue website and control them via that - I presume there's a secure link from the controller to the Hue site - lots of problems here anyway - what happens if the site goes down or gets hacked (see previous problem list). No idea if Hue's have default embedded access credentials, bricking bugs, remotely-triggered firmware update problems etc. They probably do.

2. HeatMiser - in 2014, a security researcher found that HeatMiser's security was crap. No idea if it's been fixed. There are similar risks to having your home heating system available over the internet as to having your home lighting available - criminals with access to presence information, house-size, geo-location, etc.

3. Canary - bought this off the Apple website and the thing is unbelievably intrusive - it demanded my home address and telephone number (you can proceed without both, but it nags you), I think it tried to geo-ip me, it won't work with a local media server and instead, uploaded all video to a server in the USA. There are so many security issues with this, I don't even know where to begin other than to ask if you'd enjoy criminals of different kinds seeing what goes on inside your house while knowing exactly where the house is. Here's an article from yesterday's Farmer's Journal yesterday on CCTV-related security problems in the farming sector. I left the Canary running for a day or two just to see whether the service was useful (it is), then unplugged it permanently. BTW, the Canary only retains the previous 12 hours or so of footage - if you want more than that, then you've to buy a $50/year subscription.

To control the above devices, my home network is firewalled (to block random attacks from outside probably better than the Virgin Media Horizon box might do) and more directly usefully, it's providing a VPN so that when I'm not at home, my phone can connect securely to the firewall box and be persuaded to think that it's actually on the home network and I can then control heating and the other stuff via the usual mobile apps.

At a basic level, I would recommend that nobody port-forwards from their broadband box to smart devices as they then become open to attack from outside. If they're accessible without port-forwarding, then I recommend blocking the ports on the broadband box for the same reason. If the device supplier provides a website through which you can control your devices, I recommend deleting/closing the account. Geofencing, which is supported on a few systems (I believe Nest + Canary) is a criminal's wet dream

Be aware also that some devices harvest and aggregate usage data - potentially for nefarious purposes, especially if the information is leaked or hacked.

Thoughts?