For Daniel Fulmer, cybersecurity best practices in the custom smart home integration business hit home in a big way.
Several years ago, his custom home integration company, FulTech Solutions, was the victim of a ransomware attack several years ago after the company installed a new server with older software on it. Over the weekend as the server was installing itself, it was hacked due to older software lacking security updates.
“There was that hole that was exposed, and somebody found it,” Fulmer recalls.
That Monday, Fulmer’s work computer displayed a message from the attackers asking for $30,000 to have his data and accessed returned. Luckily, the server was isolated and segmented, so the company was relatively unscathed. The server was uninstalled and reinstalled with the updated software, and that was that.
However, it was a wakeup call for Fulmer, who has installed countless smart home systems consisting of complicated networks and connected devices, sometimes in the homes of very important and powerful individuals who themselves could be the targets of a cyberattack or extortion campaign.
The Future of Digital Lighting & Control
As a custom integrator, lighting is in demand. Effective communication, education and showcasing the value proposition of LED light fixtures in conjunction with integrative control systems are the keys to overcoming challenges and closing sales in this specialized market. Join us as we discuss the future of digital lighting and control with David Warfel from Light Can Help You and Patrick Laidlaw and Mark Moody from AiSPIRE. Register Now!“As a smart home installer, we’re installing a lot of this stuff that’s connected. As integrators, we’re actually opening people up to hacking by doing that. Integrators aren’t privy to the nuances of network security, so it seemed prudent to kind of start a list that would help them be able to go through and check stuff off.”
That’s why Fulmer, with the backing of the Consumer Technology Association, helped to develop a whitepaper and checklist on smart home cybersecurity. The free resources are designed to help walk smart home installers and users through important cybersecurity considerations and best practices when installing and configuring smart home systems.
The Smart Home Cybersecurity Checklist
To get a more in-depth understanding of why these specific areas are important, we went down the CTA’s checklist with Fulmer.
Passwords
Any cybersecurity expert will cite passwords and credentials as the biggest security problem in modern IT. According to password management company LastPass, more than 80% of confirmed security breaches are related to stolen, weak or unused passwords.
That’s why passwords are first on the CTA checklist of smart home cybersecurity best practices, and in Fulmer’s opinion, “the biggest problem out there.”
Consumers often reuse passwords across accounts, which is a big no-no in the business world, which has been migrating to more secure solutions like password managers, single sign-on, biometrics, security keys and other password-less solutions.
In many cases, users aren’t even aware that many devices like modems, routers, cameras and others come with default usernames and passwords.
Password security is so important that it appears in every single topic on the checklist. Integrators are also urged to get permission writing for managing client passwords for all relevant systems.
Networking
Recalling when his company was attacked by a ransomware operator, Fulmer says networking security principles are what saved his company from further damage.
“VLAN is what saved my office from getting hacked,” Fulmer says, remarking that the office had a virtual network for experimenting, one for the office network, and another for testing out equipment. “If the server wasn’t on a segmented VLAN, they would have gone through the sever and gotten all of our backups and everything else.”
Integrators should segment a homeowner’s networks to help insulate them if an attacker is able to compromise a device on one part of the network.
While there’s no generally agreed-upon rule for grouping devices on networks, Fulmer recommends one network for smart home devices; another network for media devices like smart TVs, Roku, and Apple TVs; another for control systems; and another for general internet access. Essentially, group like devices that are used in a similar manner.
It’s especially important to segment devices that are using vast amounts of data, like smart TVs and smart speakers. While manufacturers claim to not actively listen in on conversations and protect consumer privacy, those companies can always be compromised.
Modems and Routers
Speaking of networking, modems and routers are critical considerations when designing and installing a home network. Most new modems from internet service providers double as wireless routers, but these aren’t typically designed to be very secure, Fulmer says.
However, they can be configured to act only as a modem, which allows for a more secure third-party router to be installed and provide more control over networking capabilities.
While there are third-party modems that can be installed to replace those ISP-provided modems, Fulmer recommends against it, saying third-party modems may cause troubleshooting issues in the event of a networking problem or outage.
Integrators and users can also log into the management interfaces of both modems and routers to not only change default usernames and passwords, but also to configure stronger security protections.
In addition, networks should include a guest network, which allows guests to access the internet without having to divulge the password.
“It’s like giving out the code to the front door keypad,” Fulmer says.
Integrators can also set up homeowners with network management tools, such as the ability to block certain websites and resources to minimize exposure to malicious resources and hacking.
Zigbee, Z-Wave, Matter, Beacons, Bluetooth
For these different wireless standards, users should always take the first step of changing the default username and passwords on all control devices and software.
Most of these mesh networking protocols have some caveats to them, but they are widely regulated, so security is very much built into these newer protocols, Fulmer says.
However, each has different things integrators can do to enhance security. For example, Integrators can record the unique Z-Wave home ID for all installations, as well as creating unique home IDs for each home, which should be kept confidential.
Zigbee security, however, is typically handled internally by the manufacturer.
For Bluetooth devices, integrators should document all Bluetooth-enabled products to ensure all are known and can be reliably maintained for security.
A/V Components
TVs obviously don’t have interfaces that require a secure login, which makes smart TVs one of the most insecure products in the home. However, think about all of the other AV components on the network that don’t require a username or password to access.
AV receivers are on the network so users can control them remotely, but most of them don’t even have a default username or password. If they do, it must be changed.
“If they don’t, that’s something that could be on one of your VLANS,” Fulmer says. “You definitely want to put those on a VLAN with other items that don’t have logins, but not connected to anything that can be hacked.”
The smart home cybersecurity best practices checklist also calls for integrators to disable or cover built-in cameras and microphones when applicable.
Many of these tools allow the user to log in and see what the voice assistant is capturing. In many cases, users can control how much the voice assistants pick up, what it saves and how it uses that data. Some third-party apps act as a secure conduit between the user and voice assistants, allowing the user to mute the speaker unless directed to listen by the third-party app.
The same can apply to manufacturers of smart TVs, who are collecting increasing amounts of data from users thanks to an increase in advertisements on these operating systems.
“For a home, that’s crazy,” Fulmer says. “All those things are doing is collecting data.”
While these companies pledge to only be using that data to sell more targeted advertisements, those companies are targets themselves due to the vast amount of data they handle.
Home Security Devices
Fortunately, the home security market has come a long way in recent years, providing built-in security protocols that Fulmer admits have made installation a bit more complicated.
“You used to just plug in a camera to a DVR and it worked. Now, with NVR and cameras, the cameras have a password that you have to enter into the NVR for each camera you’re installing,” Fulmer says.
The CTA’s list includes maintaining system policies on activation, testing and turnover, having the client change the master code and keeping it in a safe place, changing default usernames and passwords, and more.
Mobile Devices
Sometimes overlooked are mobile devices, which are often the main controller used in smart homes. Most major smart home control providers offer a mobile app, which can be accessed on a personal smartphone, a tablet, or even a dedicated smart home control panel in the home.
“Some of them could be very hackable,” Fulmer says. ”You’re supplanting more ways for people to get into your system in your home.”
In fact, Android and iOS vulnerabilities are discovered quite often, leading to hackers being able to spy on users and in some cases, even take over devices completely.
Routine Updates
While not specifically listed on the CTA’s checklist but instead sprinkled throughout the list is updating firmware and software whenever an update is available.
Responsible manufacturers will have a strong security research team that routinely looks for security bugs in their products. When one is discovered either by an internal or external researcher, or a malicious hacker has discovered one leading to compromised systems, the vendor will issue a software update to patch that vulnerability.
Once the patch is published, that vulnerability becomes public, creating a race between the integrator or user applying that update and the hacker exploiting the vulnerability. If automatic updates aren’t possible, then routinely checking for product updates is recommended.
This is particularly true for networking equipment, which can give attackers a strong foothold in the customer’s network if they successfully exploit a security bug.
Additional resources on smart home cybersecurity best practices
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!