Thursday, 25 February 2016

Hack my home

Image result for home securityOur homes are difficult places to secure.  Regardless of the fanciness and expense of our defences, if someone is determined to get in, they will.  This doesn't, of course, mean that we shouldn't secure our houses.  It means that we should understand the risks and what we have to lose, then act accordingly.
My house has three especially weak links, one of which is me (I won't say what the others are).  I open the door to anyone who knocks on it without using the security chain.  I occasionally let strangers into my house without asking for ID or telling someone else what I'm doing.  This doesn't mean I'm stupid, it means that I've weighed the risks against the potential consequences and prioritised my defences alongside other concerns, quality of life and so on.  When I lived in more dangerous places, I made different choices.

Physical and operational security of one's home is fairly easy to understand.  It needs a little thought and we'd all be wise to take advice, but the most important considerations are usually the most obvious.  What's more, if someone breaks into your house, you're likely to know about it.  Something will probably be broken.  Something else will probably be missing.  We can fix what broke and replace what was stolen.

Before I move on, a couple of anecdotes about home security:

When I was a student many years ago, I lived in a rough street in a rough area of a town which was - in those days - fairly rough.  The house had a big bay window on the ground floor and since the summer was very hot, I opened that window while there were several people in the room.  There were opaque curtains and nobody could see in.  Suddenly, one of the neighbour kids leaped in through the window, saw us stating at him, looked panicked and leaped back out again.  He was presumably hoping to find the room empty and grab the first thing he could get his hands on.  We didn't open the window after that.

Another time, I answered the door to another neighbour kid.  He asked if I had a bicycle pump he could borrow.  As it happened, I did have a pump but as I was about to say so, I realised that he was casing the joint.  He was trying to find out if we had bikes so he could come back later to steal them.

These kids were around 8 years old and came close to defeating our 'security' through very simple but undoubtedly often effective means.  Think how much more vulnerable we'd have been if they had been seasoned adult thieves instead of opportunistic children.

The physical threats to our homes are largely straightforward.  Where they are not, easily-implemented policies can be employed to defend against most of them. It's harder to evaluate the risks and come up with a security system that balances security against the other important factors.  It's harder still to re-evaluate the environment and keep our security systems up to date.  This is one of the reasons elderly people are often targeted for doorstep (and other) scams.  The world has changed a great deal in their lifetime and they haven't necessarily noticed those changes, since they were gradual.  Strangers exploiting old-fashioned courtesy used to be rare and the risk of helping people was lower than it is today.

Securing our homes against network attacks is a lot harder for a variety of reasons.   One of the most important is complexity.  Most people don't understand where the vulnerabilities in our networks lie.  Perhaps the (good) message about password security has been stressed so often that we've lulled ourselves into a false sense of security; we think we're safe as long as we have good passwords when in fact there's a lot more to worry about than that.

One of the most important is the same as with physical security: change. Many of us have moved from perhaps a single computer connected to a dial-up modem by a wire to a house full of wireless devices with a broadband connection.  These devices have changed, too.  First they started to look like phones or tablets.  Now they can look like anything.  Light bulbs, alarm clocks, ovens, even kettles can be computers connected - via our home networks - to the internet.  We call this the Internet of Things (IoT).

One of the main problems of the IoT is that the computers connected to it don't like computers.  They look like consumer products.  We're not used to thinking of consumer products as a security risk.  We plug them in and they work.  But if our alarm clocks are connected to the internet so they can wake us up early if the traffic is bad, then they - and therefore the rest of our networks - might be vulnerable to attack.  We don't see what's going on behind the scenes, we see a consumer product like any other.

The second main problem is that in many cases, the security of IoT devices has been an afterthought at best and there are numerous vulnerabilities that could be exploited by an attacker.  You might not worry too much if a stranger starts turning your lights on and off from the other side of the world, but you might if the attacker could use your smart bulbs as an entry point to your network.  You should definitely worry if hackers could enter your network via your insecure smart kettle and turn on the webcam on your laptop or access your network storage drive.  Especially since, unlike a telltale broken window, it might not be at all obvious that anyone malicious was ever there.

It's wrong, however, to blame the IoT for all security problems.  By far and away the biggest threats to our home networks come from our routers.  Routers are the devices, usually installed by our ISPs, which connect on one side to the internet and on the other (usually wirelessly, these days) to our various devices.  They are the core of our networks and therefore a highly prized target for hackers.  

Worryingly, they are also very often distressingly easy to compromise.  Lots of routers (including two in wifi range of where I'm sitting right now) use the default manufacturer password.  Many use out-of-date firmware with known security holes.  Many have WPS turned on by default.  This is a technology that uses PINs instead of passwords to allow easy connection of devices. PINs are much more susceptible than passwords to brute force attacks and in many, many cases, the algorithm that generates PINs on a particular router is known, making it easier still for hackers to gain access.

Attacks like these are analogous to a burglar entering a home or a creepy person installing hidden cameras while we're out.  But there are attacks that are more similar to the doorstep con, where a con artist gains access to someone's house or personal data under false pretences.  We know about phishing scams, where we're led to believe that our bank wants us to enter our security details at a conveniently supplied link.  But we often underestimate how sophisticated these attacks can be.  This is especially true these days when vast amounts of data about us are available to anyone who wishes to buy it.  Phishing scams can be very specifically tailored toward individuals with hardly any effort at all.

We know that we shouldn't open attachments unless we're sure they're safe, but we all make false assumptions from time to time about what 'safe' means.  For example, my friends know that I have a background in security and a tinfoil-hat-level interest in privacy, so they might reasonably assume that any attachments I send them are legitimate and safe.  However, none of my friends ever check that the email is really from me before opening attachments.  Even if they did, I might be even more lazy and incompetent than they already think I am and my computer might be infected with malware that sends out plausible-looking malware to my contacts.

To put it more succinctly, there's a lot to be worried about regarding our home networks, even if we know what we're doing.

Here's a BBC article on exactly this sort of thing.  It documents some (white hat) hackers demonstrating how they could easily gain access to a network- connected camera on the journalist's network. The journalist seems fairly tech-savvy but still had numerous holes in his network.  The last line of the article is important:
Now I'm not sure if I am more secure, or just more paranoid.
And that's the take-home point.  You'll never know whether your network is secure.  You won't have the time and resources to keep it as cast-iron secure as possible and if you do devote superhuman effort to doing so, at best won't be able to use your devices for the things you want to use them for.

That's why we need to learn how best to evaluate risks and consequences and to practice good operational security, just as we try to when protecting our physical spaces.  It isn't easy, but it's all too often neglected in articles about home network security.  We should change this.

No comments:

Post a Comment