Tải bản đầy đủ - 0trang
4 Reinforcing the security of wireless communications: the case of smart locks
arguably improving the overall user experience for a secure and comfortable smart
home. Virtually all smart lock products offer a very straightforward installation process: the smart lock simply replaces the current deadbolt lock, making it a very attractive product even for customers who do not wish to employ a professional technician.
Most products look like normal locks (ie, they offer the option to use a normal
key) but provide electronic methods for replacing the need of a physical key. Others
give a more futuristic look to your door by requiring either a touch to initiate the
authentication procedure or in some cases like the AUGUST Smart Lock,2 the wireless connection is used to detect if the owner is standing in front of the door and
unlocks your door for you. They let you send electronic keys to your friends that
work only during times that you specify. Some will even connect to your larger
home automation system, telling your smart thermostat when you’re away so it
can enter into its energy-saving mode.
Regardless of the different features provided, existing products rely upon the
built-in protective features of BLE (also known as 4.0, or SMART). BLE built-in security features claim to use the same security protocols as those in online banking.
What that essentially means is that anytime your smartphone is communicating with
your smart lock, a 128-bit AES encryption cryptomechanism is used. Although
128-bit AES encryption is considered the lowest level of encryption used by government agencies in the United States, it is still good enough for real-life scenarios. Keep
in mind that the highest level of encryption used by government agencies in the United
States requires 192- or 256-bit AES encryption.
An important aspect of BLE security is how each user or digital key is being authenticated. Unlike Bluetooth version 2.1, the latest version does not actually require two
devices to initially pair with each other. So the more common Bluetooth-based attacks
like Bluejacking, Bluesnarﬁng, or Bluebugging are a nonissue. In addition, BLE is
introducing adaptive frequency-hopping, which splits encrypted data and transmits
it across the 2.4 GHz spectrum.
In order to further improve the security of wireless communication, UNIKEY3
totally replaces the BLE’s security protocol and introduces a public-key infrastructure
system to authenticate users. In their product, every communication between the
smartphone and smart lock is a unique transaction. So even if someone were able to
overhear the wireless communication containing the key, they wouldn’t be able to
use it again. As a second step to further improve security, UNIKEY provides a wireless
system on both sides of the door, thus letting the smart lock understand if the user is on
the inside or the outside. Essentially UNIKEY eliminates any false unlocks.
A different approach is followed by AUGUST Smart Lock.4 Unlike UNIKEY’s
product, it handles communication between the lock and a permissioned smartphone
over Bluetooth. However, the smart lock never communicates with a cloud server,
or even the Internet. Authentication is handled through the smartphone and the
Apps for smart buildings: a case study on building security
accompanying AUGUST smartphone application. AUGUST owners can also grant
permission or deny access through the website.
These examples demonstrate how companies are trying to address the concerns of
consumers regarding cyber security. Although some scenarios exist, where wireless
communication security could be breached, such scenarios are very hard to reproduce.
The need for secure data exchange and storage
Clearly the ability to control a house while being away has to be done in a way that it
does not put the residents or the house in danger. We need to keep in mind that the
ability to check the status of the house security system from a smartphone and remote
control the devices involves the exchange of data between the house and the smartphone application through the Internet. Is the data encrypted throughout all the system’s layers? Is the information related to the credentials for controlling the devices
stored properly on the smartphone application? How easy is to crack the application
code and decode the communication protocols? Such questions are critical while connecting more home elements with the Internet, as the home environment is exposed to
new attack vectors that increase the risk of cyber threats.
We also need to keep in mind that a cyber-security breach may lead intruders into
understanding the behavior of the residents and their patterns (eg, when they are
home, and when away on vacation) putting their safety and privacy at risk. It also
becomes possible for someone to turn on certain devices in order to reduce the physical security of the house and thus decrease the difﬁculty of entering the house. For
example consider a possibly “exotic” scenario, where an intruder can turn on the air
conditioning during winter, trying to freeze and break pipes while the homeowners
are away on vacation, without the intruder ever stepping foot in the house. Indeed the
possibilities are really only limited by the imagination and determination of the
In March 2015, Synack conducted a thorough benchmarking of 15 smart home
devices ranging from cameras to home automation controllers (Synack, 2015). The researchers examined the scenario where the smartphone of one of the home residents is
stolen or an attacker has a window of opportunity where he or she can control the
smartphone for a short period of time (eg, for 5 min). Interestingly, they identiﬁed
many products whose smartphone applications store the corresponding passwords in
plaintext or left behind nonexpiring session credentials that would give an attacker indeﬁnite access to a user’s device.
The benchmarking report conducted by Synack also investigated the case where the
user uses the smartphone application to remotely control the house from a public WiFi
network or a WiFi network that is controlled by the attacker. The malicious adversary
is able to overhear the data transmitted over the wireless medium and potentially gain
critical information. In fact, multiple products were identiﬁed to exchange critical information such as passwords in plaintext. Especially when a connection is made over
public WiFi networks, information exchanged by these products can be easily
collected even by nonexpert attackers.
In the ﬁrst case investigated, it is clear that product designers should make sure that
all communication must use bidirection encryption. In the second case, the operation
of the smart home and the overall security of the product becomes a responsibility of
the user. Such an approach is clearly wrong. Products need to incorporate security as
part of the design process.
The need for innovative approaches to handle data
generated: the case of smart cameras
Camera sensors are certainly the most traditional equipment used to establish high
levels of security for a building. The closed-circuit TV (CCTV) has become the
de-facto standard for video surveillance on a speciﬁc place. Being a wired-only technology, CCTV requires a certain level of wiring especially when we wish to secure a
Most security cameras are made for indoor use, so they are not weatherproof. However, some high-end products can be also used in outside environments. Some other
products offer the ability to use the camera in the dark. These cameras feature night
vision, so you get a clear picture of your surroundings in even the poorest light conditions. Another important feature is the ability to rotate the viewing angle of the camera in order to provide a better view of broader scenes.
During the past years, a large number of new products have been made available,
replacing the wired network for transmitting camera signals, with wireless technologies based on the 802.11 family of protocols. The so-called smart cameras can be
remotely accessible via the Internet allowing the building owner to view a live streaming from the camera wherever in the world he or she may be. This is a great step forward, since wireless networking essentially eliminates the need for wires, thus heavily
reducing the total costs of CCTV camera installation.
The use of cameras within a home environment facilitates a broad range of services from illegal intrusion to resident care (Demiris and Hensel, 2008). Camera sensors provide a rich source of information about the home environment with the
advantage of a noncontact sensor that is convenient for both living and installation.
Hence, video surveillance becomes a practical solution for smart home. However, a
downside of camera sensors is that they require human analysis of the streaming in
order to identify a potential alert. We also need to consider that the number of cameras that can be inspected at any given time by an individual is limited. Clearly, a
large number of camera feeds challenge the cognitive capabilities of the human
A variety of software-based surveillance systems have been proposed that combine
a systematical architecture and algorithm pipeline for intelligent video analysis for
smart homes (Zhang et al., 2015). Developing such systems entails various types of
challenges. Consider that in indoor environments it is common to face sudden illumination changes. Robust behavior representation models need to be developed in order
to extract meaningful context information.
Apps for smart buildings: a case study on building security
Recently, new hardware products are reaching the market, combining different
sensing technologies (eg, motion sensors) with image processing techniques
embedded on the hardware that are capable of identifying events of certain signiﬁcance. These products are able to provide notiﬁcations at speciﬁc times when human
intervention is required, in order to infer possible critical events. They also offer the
ability to record while the motion sensor is detecting movement in the viewport of
the camera. This means the home can capture any activity the moment it is happening,
rather than trawl through hours of footage.
Some newer products such as the NETATMO smart camera5 introduce more
advanced image processing techniques for doing face extraction. The owner is able
to tag faces, attach names, and characterize them as family or friends. The camera is
capable of recognizing individual family members and send immediate notiﬁcations
depending on the characterization of the people. This is a step forward from sending
alerts (with video feed) when a motion is detected, and reduces the number of false
positive alerts generated by the camera.
The main challenge for such new products is the homeowner’s ability to access the
video feeds remotely. The storage of the video (especially if it is at high quality) requires signiﬁcant storage capacity. Furthermore, if the storage is kept locally (ie,
within the building premises) then the Internet connectivity might cause long delays
for accessing the video feeds remotely (eg, ADSL is not the ideal solution for this usage scenario). If there is a need for a 24/7 monitoring service, the critical point is
whether the number of alerts that require the owners (remote) intervention can be
restricted. Essentially these two features lead to a new contract-based service model
that resides on the cloud.
As products for smart homes generate large volumes of sensor data, this creates the
need to provide mechanisms that will assist the user in handling large volumes. Interestingly, for many start-ups, the ability to capture data, and analyze and sell the ﬁndings offers a potential monetization model.
Young companies such as CANARY6 and WITHINGS7 offer a monthly fee for using cloud-based resources to store video feeds up to 30 days and storing alarms and
notiﬁcations to speciﬁc time instances (also known as bookmarks). This approach
leads to extremely competitive monthly fees.
Smart home products: a fragmented landscape
As smart home technology has advanced, traditional home security products are
increasingly being ported over analog to digital controls that offer expanded functionality and improved wireless connectivity, including integration with mobile technologies (Tankard, 2015). Numerous hardware products are already available in the
market, which can be used to set up a smart building environment with emphasis on