Smart Home and Router Vulnerability

[Part of a series helping IT Resellers understand the business opportunity of selling Smart Home devices]

Sure the image is unimaginative. Stereotypical, cliched, call it what you will, what matters is the threat is real. Today people don't need to break-in to nick your stuff. They can do it from outside. They can hack your Wi-Fi. What's more using Smart Devices could very well make it easier.

The problem is your router. And in this post I explore why, and what to do about it...

Remote access

90% UK households had internet access in 2017. Put another way that means there's a little over 24.5M routers out there.

Now, routers come as part of the ISPs (internet service providers) package, it's all part of the price. Good value but the reality is this costs. Those routers are the cheapest to do the job. And there are millions of them in use.

But does this matter as long as they work? Not if you don't care because they're cheap they'll be low spec. And not if you don't care hackers will be out to break them because being cheap means they're easy to crack.

Not top priority

Smart Plugs, Smart Radiator Valves, Smart… whatever, they're all built so you can ‘tap the app' and they work. Convenient but it means they work straight from the cloud.

Now like routers, costs matter so Smart Devices don't come with anything they don't need. Critically, they've no security protection - they don't even have the hardware to run it. If the world were benign this wouldn't matter. But it isn't and with nothing but a cheap router between you and the web, you might as well have your front door wide open. You might as well lay down the red carpet and invite the malware in.

Hackers have already attacked Smart devices. They've used CCTV cameras and printers to attack popular websites. The University of Mitchigan with Microsoft hacked a popular Smart Home platform. They found they could set off connected smoke alarms at will. And could plant a "back door" PIN into a Smart Lock.

Security problems with Smart Home devices aren't made up – they're very real.

What's the problem with cheap routers?

There are three issues with cheap routers. Things that could mean you've real security problems on your hands. First, does yours use the WPA2 Wi-Fi protocol? If it doesn't and uses WEP, it's vulnerable - it's known to be hackable. Second, does yours have a firewall? OK, few don't but that's because without one your home network is completely exposed to potential malware. But whatever, these two are big problems – stuff you shouldn't ignore.

Of course, if you've got WPA2 Wi-Fi you can easily improve its security. Simply change its identity (SSID) to anything obscure and the password to something strong. And if you've got a firewall, make sure it's switched on! Both these are better than nothing but they don't deal with the real showstopper - the third issue with cheap routers. The ability to run more than one network (VLAN).

Do I have to trade up?

By now you should be picking up Smart Devices are vulnerable. So it's plain unwise to run them on the same network as anything used for online banking or shopping. What's needed is the means to separate them: a router that can run more than one network (VLAN). Problem is the one your ISP supplied, or any other cheap one, is unlikely to be able to do this.

If you're running Smart Home devices find out if your router will operate VLANs. If it does follow the advice below. If it doesn't you should very seriously consider trading up. Today most ISPs will allow it, double check the terms of your agreement and make sure yours does. I checked BT, Talk-Talk and Virgin - they all do.

Separating the vulnerable from the impregnable

I've made the case for VLANs and getting the right router. While nothing is un-hackable, using different networks will transform your security. Make it so only a determined expert can break in. And much easier for an amateur to go try their luck elsewhere.

Use each VLAN to separate out and contain the different levels of risk. I'd suggest this creates the need for three networks: "unsecured", "secured" and "don't know". Here's why and how to use them:

1. "Unsecured". This is for all your smart devices: plugs, lights, TV and the like. Everything where security protection isn't built in. These devices are most vulnerable. So isolate them on a separate network.
2. "Secured". This is for all your home computers, phones and tablets. All the things you use for online shopping, banking and web searches. Everything on this network has security protection. That means everything has up-to-date antivirus and firewall. These devices are safe. So treasure them on a special network.
3. "Don't know". The security status of everything on this network is unknown. The computers, tablets and phones that connect may or may not be secure. These devices are the one's guests or anyone needing temporary access use. You can't trust them so don't. Quarantine them on a dedicated network.

Other stuff

There are a few more things to mention on security. Issues caused by ‘conveniences' routers use to simplify their operation. I don't plan to go into the technicalities save mention it's best to switch them off as they create vulnerabilities.

The first is WPS (Wi-Fi Protected Setup). It's a shortcut for connecting some devices to your Wi-Fi. It has very limited PIN combinations and is easily hackable. Switch it off.

Next is HNAP (Home Network Administration Protocol). It grants full control to remote users. Fine, but only have it on when it's needed.

UPnP (Universal Plug and Play) is the next. It's an unprotected networking protocol on internet facing ports. Leave this on? I don't think so.

Finally, cloud-based router management. Why control your network's security from the outside? Where anyone can ‘see' what you're doing? It doesn't make sense, don't use it - switch it off!

Mobile phones are a critical vulnerability

Have you got antivirus on your mobile? Huge numbers of people haven't. Why should they? Who knows anyone that's had a virus on their phone?

What's this got to do with routers? Well, hackers used to only attack Windows PCs. Today they do it for mobiles too. This isn't about keeping your phone secure because it's the right thing to do. What I'm getting at is what happens when you use it to operate a smart device. A device that has no security, will attract malware and could, in turn, infect your phone.

Don't pick up a phone virus switching your lights on and off. Get protection.

The other business opportunity?

By now you should see the other business opportunities selling Smart Home presents.

The first of these is router upgrades and installation. ISP supplied routers are unlikely to support VLANs. Yet that's the very thing needed to a run Smart Home securely. What's more, the average customer won't understand how to configure one. Two nice opportunities for you and right up your street. But there's more...

The second opportunity concerns robust antivirus for computers, tablets and especially mobiles. Long neglected because phone viruses have never been much of a problem, hackers are now attracted because Smart devices have no security. Selling phone antivirus has never been easy. Now you've real reason to tell customers why they need it. That's good for business.

Make Smart Home your business

This is the last blog in a series on Smart Home. A series devoted to helping you understand the potential Smart Home offers and the business opportunity waiting for you. I've discussed a whole range of things from analysts' comments on the market to set-up and different applications. I've looked at remote control, automation and voice activation. And in this post I've covered the host of opportunity off the back of the security challenges Smart Home creates. Smart Home really is a fabulous business opportunity. What's more, 2018 is the year to seize it.

Everything you need to know about Smart Home

Before I go I've just two more things to say.

First, for the whole series on Smart Home click "Smart Home, Office and Workplace". You'll see it all listed there. Dive in and read everything I've had to say. Find out what you need to not just make it part of your business, but benefit using it in your business too.

Second, if you've any questions of comments I'd be more than happy to help. Make them here on the blog, drop me a line on [email protected] or give me a call on 07854 195 718 – it won't cost you a thing. I'm looking forward to it.