Smart home hubs give hackers a chance to know when homes are empty, change alarm settings and break in, putting families in danger of cyber and physical attacks.
A security research firm has found that three top-selling smart home automation hub products available on Amazon put households at risk, allowing hackers to take control of smart home functionalities.
The company uncovered zero-day flaws meaning that security vulnerabilities were also unknown to the devices vendors themselves.
Tripwire’s Vulnerability and Exposure Research Team (VERT) found that hackers could get into the smart hubs system and identify when people are out of their home, change alarm settings, open locks without authorisation, access local area networks and use the smart hubs for DDoS purposes.
Jason du Preez, CEO of Privitar, told CBR: "We are now in a world where potential privacy harms can have devastating effects. People need to be aware that any information shared, implicitly or explicitly could fall into the wrong hands.
"We should think carefully about which services we use, who we share with and how we express our preferences. We need to think carefully about transacting with organisations that cannot prove they have the right governance, controls and systems in place.
"If users are to have any confidence that their private information will remain private, companies need to think very seriously about how they protect and anonymise user’s data."
Tripwire added that two out of the three vendors have patched these reported flaws but warned that one vendor’s smart home system remains at risk.
Lamar Bailey, director of research and development at Tripwire, said: "These devices can also be used as a gateway to inflict physical damage to a home, and, in many cases, they actually make homes less secure.
"For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst."
Tackling security issues and other spaces in the IoT sector, the Transaction Processing Performance Council (TPC) has created a Working Group (TPC-IoT) to build up industry standard benchmarks for both hardware and software platforms associated with IoT.
The council said that as the number of interconnected platforms continues to multiply, vendors and customers increasingly require an impartial means of comparing performance, cost-of-ownership and energy consumption across a widening array of hardware and software systems.
Rob Miller, senior security researcher at MWR, told CBR: "Due to the wide ranging design and use of IoT solutions, there has yet to be a standard for security released that everyone in the industry can agree on. Standards should ideally form a foundation of good security practices that give developers a baseline to build against and consumers a degree of confidence.
"Any standards released for IoT will have to walk a tight line of staying broad enough so that they can be included by all IoT vendors, but strict enough that they still offer a level of effective measurements.
"Standards that try to cover all IoT from home automation alarms through to mass smart city monitoring solutions run the risk of producing rules so abstract that a developer could misinterpret them, or worse produce devices that tick every box without ever adding real security."
Raghunath Nambiar, distinguished engineer at Cisco and chairman of the TPC-IoT Working Group, said: "The formation of this Working Group is the first major step in bringing industry and the research community together – to develop a set of standardised workloads and metrics – which enable fair comparisons across technologies and products."
CBR contacted Tripwire to ask which three smart home hubs have been tested, but the company was unavailable to comment at the time of publication.
