As we learned, protection of your smart home and building automation system can be enhanced with simple tricks. However, enhancing systems does not mean that they are not still vulnerable for hackers. Especially since more and more devices are connected to the internet, it is not enough to prevent access to devices or cables, but also to protect the system as such. But how should this work?
Before we jump into the topic about how a system can be protected, it is important to understand how the recent technologies work. Whilst most smart home systems work with central units, which forward the telegrams, in building automation the most used technology is still the bus technology.
Central units have the advantage that the installation can be put in action just by simply configuring it. Depending on the user interface, the configuration can be a piece of cake.
Building automation systems usually do not use a central unit, which might lead in worst case to the fact that each device needs to be programmed individually. Advantage however is that once the system is fully configured, the bus installation is very reliable.
The advantages of a central unit and/or a bus technology can be discussed, but regardless of the advantages or disadvantages, both system have one thing in common: Both can be hacked! So what mechanisms, besides the traditional ones?
Encryption of telegrams:
Especially in regards of the ongoing IoT discussion and the raising need to have every device connected to the internet, more and more telegrams are transmitted over the internet. With the right antenna, hackers can catch a telegram, modify it and make the house do as they want and not as the real estate owners want. Of course being aware of this, many technologies already provide a secure communication over VPN or provide https based solutions. This does help to make the communication more secure, but still, the telegram is not encrypted. Especially in the light of the latest hacks on well-known online companies, such as LinkedIn or eBay, it is not very unrealistic that hackers can get access to your telegram. All in all, a secure communication does not protect your telegram from being tempered with as well.
But online transmission of telegrams is not the only entry door for hackers, especially if they can get physical access to the installation. This is especially the case for commercial buildings, such as hotels or shopping malls, at which a big crowd can connect a device to the installation.
Therefore, the only way to make your installation safe, is to encrypt the telegram.
Data Secure and IP Secure:
Since 2016, an extension of the KNX technology is available free of charge, which focusses directly on security issues and how to protect your telegram from unauthorised intruders. The encryption of telegrams is done on two levels – One for the communication inside the installation and one for the communication via the internet. Both levels use AES 128bit encryption technology, which was approved as a worldwide encryption standard (ISO/IEC 18033-3), ensuring best encryption mechanisms.
Data secure encrypts the useful information in a telegram such as ‘switch’, ‘dim’ and also ‘open’ and ‘close’. By extending the telegram, the useful information is encrypted and a Message Authentication Code (MAC) is included. By not encrypting the whole telegram, the telegram is still forwarded to its according destination and also understood by the addressed recipient, which has the key to the encryption. As for the remaining unprotected elements of the telegram, they are protected by the MAC. The MAC is created according to the unencrypted information in the telegram. Once an attempt to modify the telegram is made, the MAC address would not match with the remaining telegram and the telegram becomes invalid.
By using these security mechanisms, the telegram is fully protected against unauthorised intruders.
IP Secure is designed for encrypting the whole telegram, once it is transmitted via the internet (basically, when it leaves the house). By having the telegram sent out via interfaces to the world wide web, the according secure interfaces encrypt the whole telegram. After the telegram as reached its destination, it is decrypted and send further to its destination. The encryption of the whole telegram is also based on the encryption standard AES 128.
By encrypting the telegram inside the house via IP Secure and at the same time inside the house with Data Secure, the installation is bullet-proof for unauthorised access. Therefore, even if a hacker could get access to the installation, no matter if it is over the internet or physically, the hacker would not be able to understand the telegram and/or modify it accordingly.
This encryption is available here free of charge and can be used by all manufacturers, which is why we can expect a higher level of security in the world of smart homes and buildings. Further than that, since the telegram encryption is based on the KNX technology, these security measures can easily be implemented in existing systems, without the need to replace a whole installation.
For more information on the topic of telegram encryption, have a look here.
Learn in the next article, how you can put these security mechanisms into practise.