Tải bản đầy đủ - 0 (trang)
4 Reinforcing the security of wireless communications: the case of smart locks

4 Reinforcing the security of wireless communications: the case of smart locks

Tải bản đầy đủ - 0trang

472



Start-Up Creation



arguably improving the overall user experience for a secure and comfortable smart

home. Virtually all smart lock products offer a very straightforward installation process: the smart lock simply replaces the current deadbolt lock, making it a very attractive product even for customers who do not wish to employ a professional technician.

Most products look like normal locks (ie, they offer the option to use a normal

key) but provide electronic methods for replacing the need of a physical key. Others

give a more futuristic look to your door by requiring either a touch to initiate the

authentication procedure or in some cases like the AUGUST Smart Lock,2 the wireless connection is used to detect if the owner is standing in front of the door and

unlocks your door for you. They let you send electronic keys to your friends that

work only during times that you specify. Some will even connect to your larger

home automation system, telling your smart thermostat when you’re away so it

can enter into its energy-saving mode.

Regardless of the different features provided, existing products rely upon the

built-in protective features of BLE (also known as 4.0, or SMART). BLE built-in security features claim to use the same security protocols as those in online banking.

What that essentially means is that anytime your smartphone is communicating with

your smart lock, a 128-bit AES encryption cryptomechanism is used. Although

128-bit AES encryption is considered the lowest level of encryption used by government agencies in the United States, it is still good enough for real-life scenarios. Keep

in mind that the highest level of encryption used by government agencies in the United

States requires 192- or 256-bit AES encryption.

An important aspect of BLE security is how each user or digital key is being authenticated. Unlike Bluetooth version 2.1, the latest version does not actually require two

devices to initially pair with each other. So the more common Bluetooth-based attacks

like Bluejacking, Bluesnarfing, or Bluebugging are a nonissue. In addition, BLE is

introducing adaptive frequency-hopping, which splits encrypted data and transmits

it across the 2.4 GHz spectrum.

In order to further improve the security of wireless communication, UNIKEY3

totally replaces the BLE’s security protocol and introduces a public-key infrastructure

system to authenticate users. In their product, every communication between the

smartphone and smart lock is a unique transaction. So even if someone were able to

overhear the wireless communication containing the key, they wouldn’t be able to

use it again. As a second step to further improve security, UNIKEY provides a wireless

system on both sides of the door, thus letting the smart lock understand if the user is on

the inside or the outside. Essentially UNIKEY eliminates any false unlocks.

A different approach is followed by AUGUST Smart Lock.4 Unlike UNIKEY’s

product, it handles communication between the lock and a permissioned smartphone

over Bluetooth. However, the smart lock never communicates with a cloud server,

or even the Internet. Authentication is handled through the smartphone and the



2

3

4



http://www.august.com/.

http://www.unikey.com/.

http://www.august.com/.



Apps for smart buildings: a case study on building security



473



accompanying AUGUST smartphone application. AUGUST owners can also grant

permission or deny access through the website.

These examples demonstrate how companies are trying to address the concerns of

consumers regarding cyber security. Although some scenarios exist, where wireless

communication security could be breached, such scenarios are very hard to reproduce.



19.5



The need for secure data exchange and storage



Clearly the ability to control a house while being away has to be done in a way that it

does not put the residents or the house in danger. We need to keep in mind that the

ability to check the status of the house security system from a smartphone and remote

control the devices involves the exchange of data between the house and the smartphone application through the Internet. Is the data encrypted throughout all the system’s layers? Is the information related to the credentials for controlling the devices

stored properly on the smartphone application? How easy is to crack the application

code and decode the communication protocols? Such questions are critical while connecting more home elements with the Internet, as the home environment is exposed to

new attack vectors that increase the risk of cyber threats.

We also need to keep in mind that a cyber-security breach may lead intruders into

understanding the behavior of the residents and their patterns (eg, when they are

home, and when away on vacation) putting their safety and privacy at risk. It also

becomes possible for someone to turn on certain devices in order to reduce the physical security of the house and thus decrease the difficulty of entering the house. For

example consider a possibly “exotic” scenario, where an intruder can turn on the air

conditioning during winter, trying to freeze and break pipes while the homeowners

are away on vacation, without the intruder ever stepping foot in the house. Indeed the

possibilities are really only limited by the imagination and determination of the

attacker.

In March 2015, Synack conducted a thorough benchmarking of 15 smart home

devices ranging from cameras to home automation controllers (Synack, 2015). The researchers examined the scenario where the smartphone of one of the home residents is

stolen or an attacker has a window of opportunity where he or she can control the

smartphone for a short period of time (eg, for 5 min). Interestingly, they identified

many products whose smartphone applications store the corresponding passwords in

plaintext or left behind nonexpiring session credentials that would give an attacker indefinite access to a user’s device.

The benchmarking report conducted by Synack also investigated the case where the

user uses the smartphone application to remotely control the house from a public WiFi

network or a WiFi network that is controlled by the attacker. The malicious adversary

is able to overhear the data transmitted over the wireless medium and potentially gain

critical information. In fact, multiple products were identified to exchange critical information such as passwords in plaintext. Especially when a connection is made over

public WiFi networks, information exchanged by these products can be easily

collected even by nonexpert attackers.



474



Start-Up Creation



In the first case investigated, it is clear that product designers should make sure that

all communication must use bidirection encryption. In the second case, the operation

of the smart home and the overall security of the product becomes a responsibility of

the user. Such an approach is clearly wrong. Products need to incorporate security as

part of the design process.



19.6



The need for innovative approaches to handle data

generated: the case of smart cameras



Camera sensors are certainly the most traditional equipment used to establish high

levels of security for a building. The closed-circuit TV (CCTV) has become the

de-facto standard for video surveillance on a specific place. Being a wired-only technology, CCTV requires a certain level of wiring especially when we wish to secure a

large building.

Most security cameras are made for indoor use, so they are not weatherproof. However, some high-end products can be also used in outside environments. Some other

products offer the ability to use the camera in the dark. These cameras feature night

vision, so you get a clear picture of your surroundings in even the poorest light conditions. Another important feature is the ability to rotate the viewing angle of the camera in order to provide a better view of broader scenes.

During the past years, a large number of new products have been made available,

replacing the wired network for transmitting camera signals, with wireless technologies based on the 802.11 family of protocols. The so-called smart cameras can be

remotely accessible via the Internet allowing the building owner to view a live streaming from the camera wherever in the world he or she may be. This is a great step forward, since wireless networking essentially eliminates the need for wires, thus heavily

reducing the total costs of CCTV camera installation.

The use of cameras within a home environment facilitates a broad range of services from illegal intrusion to resident care (Demiris and Hensel, 2008). Camera sensors provide a rich source of information about the home environment with the

advantage of a noncontact sensor that is convenient for both living and installation.

Hence, video surveillance becomes a practical solution for smart home. However, a

downside of camera sensors is that they require human analysis of the streaming in

order to identify a potential alert. We also need to consider that the number of cameras that can be inspected at any given time by an individual is limited. Clearly, a

large number of camera feeds challenge the cognitive capabilities of the human

operator.

A variety of software-based surveillance systems have been proposed that combine

a systematical architecture and algorithm pipeline for intelligent video analysis for

smart homes (Zhang et al., 2015). Developing such systems entails various types of

challenges. Consider that in indoor environments it is common to face sudden illumination changes. Robust behavior representation models need to be developed in order

to extract meaningful context information.



Apps for smart buildings: a case study on building security



475



Recently, new hardware products are reaching the market, combining different

sensing technologies (eg, motion sensors) with image processing techniques

embedded on the hardware that are capable of identifying events of certain significance. These products are able to provide notifications at specific times when human

intervention is required, in order to infer possible critical events. They also offer the

ability to record while the motion sensor is detecting movement in the viewport of

the camera. This means the home can capture any activity the moment it is happening,

rather than trawl through hours of footage.

Some newer products such as the NETATMO smart camera5 introduce more

advanced image processing techniques for doing face extraction. The owner is able

to tag faces, attach names, and characterize them as family or friends. The camera is

capable of recognizing individual family members and send immediate notifications

depending on the characterization of the people. This is a step forward from sending

alerts (with video feed) when a motion is detected, and reduces the number of false

positive alerts generated by the camera.

The main challenge for such new products is the homeowner’s ability to access the

video feeds remotely. The storage of the video (especially if it is at high quality) requires significant storage capacity. Furthermore, if the storage is kept locally (ie,

within the building premises) then the Internet connectivity might cause long delays

for accessing the video feeds remotely (eg, ADSL is not the ideal solution for this usage scenario). If there is a need for a 24/7 monitoring service, the critical point is

whether the number of alerts that require the owners (remote) intervention can be

restricted. Essentially these two features lead to a new contract-based service model

that resides on the cloud.

As products for smart homes generate large volumes of sensor data, this creates the

need to provide mechanisms that will assist the user in handling large volumes. Interestingly, for many start-ups, the ability to capture data, and analyze and sell the findings offers a potential monetization model.

Young companies such as CANARY6 and WITHINGS7 offer a monthly fee for using cloud-based resources to store video feeds up to 30 days and storing alarms and

notifications to specific time instances (also known as bookmarks). This approach

leads to extremely competitive monthly fees.



19.7



Smart home products: a fragmented landscape



As smart home technology has advanced, traditional home security products are

increasingly being ported over analog to digital controls that offer expanded functionality and improved wireless connectivity, including integration with mobile technologies (Tankard, 2015). Numerous hardware products are already available in the

market, which can be used to set up a smart building environment with emphasis on

5

6

7



https://www.netatmo.com/en-US/product/camera.

http://canary.is.

http://www.withings.com.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

4 Reinforcing the security of wireless communications: the case of smart locks

Tải bản đầy đủ ngay(0 tr)

×