Computer scientists at The College of William and Mary spent the summer testing smart home products for possible security issues. Their study, titled “A Study of Data Store-based Home Automation”, found that security flaws in many new smart home platforms and their third-party devices could produce serious consequences for users.
Lateral Privilege Escalation Attack
Apps and devices within one of these smart home systems communicate with each other via a shared data store. That means if hackers can get past one device, they can potentially access other devices within the system. Hackers can compromise low-integrity devices, such as third-party lighting apps, and use that access to modify something in the data store that high-integrity devices, such as security cameras, rely upon to operate.
This type of attack is referred to as “lateral privilege escalation”, and it poses a major threat to many smart home system owners. If a burglar is capable of hacking and compromising a simple light switch app, it’s entirely possible for them to modify a variable on the shared data store that temporarily shuts off security alarms.
Vulnerabilities discovered in Smart Home System
The study’s leading researchers, Adwait Nadkarni and Denys Poshyvanyk, were able to pull off a lateral privilege escalation attack on a NEST smart home system in their testing lab. They were able to manipulate the system to indicate that the owner was home when they were not, temporarily disabling the surveillance camera and opening the home up to invasion. The researchers informed smart home companies of the potential for security breach. The company TP Link, whose Kasa light switch product was used in the mock attack, updated their technology to prevent that specific instance from occurring. While the study has already sparked progress, smart home system producers still have a lot of work to do to ensure that future products are secure.