The goal of this research is to improve the security of smart home hubs by developing a standard against which hubs can be evaluated. This was done by first reviewing existing standards, guides, and collections of best practices. I determined that adapting or extending an existing standard was the best way to proceed. Potential candidates were selected, and after thorough comparison, I chose to extend the OWASP Application Security Verification Standard (ASVS). Extensions were composed of additional security requirements to address smart home hub functionality not covered by the existing requirements of the ASVS. These additional requirements were developed based upon existing best practices and are referred to as the Smart Home Extensions.
Where a best practice or guidance did not yet exist for a particular hub functionality, guidance from related fields was adapted. The entire set of Smart Home Extensions were reviewed by industry experts, updated based on feedback, and then sent on for further peer review. Four smart home hubs–VeraLite, Wink, Connect, and SmartThings–were evaluated using the ASVS with the Smart Home Extensions. The evaluation uncovered security vulnerabilities in all four hubs, some previously disclosed by other researchers, and others new. Analysis of the evaluation data suggests that authentication is a common problem area, among others. Based on the performance of the hubs and the data collected, I suggest that the ASVS and Smart Home Extensions can be an effective tool to provide insight into the security posture of smart home hubs.
Commercial and academic interest in the smart home arena has picked up in recent years as more and more consumer devices include some sort of network connectivity. Conferences such as Smart Home World, TV Connect, ICOST, Connections, and numerous others organized in just the last ten years continue to be successful. One of the largest showcase venues for commercial devices, the Consumer Electronics Show, expanded in 2015 to include exhibit space specifically for smart home devices (Brown 2014). Some small colleges have even begun to offer certifications in smart home technology, while Duke University engineering students can become “Smart Home Research Fellows” (Martinsburg College 2015; Nicolet College 2015; Pratt School of Engineering 2015).
The original purpose of this research was to develop from scratch a framework to evaluate the security of smart home hubs. This framework was to be based, in part, on existing best practices in related domains. However, after reviewing existing frameworks and testing guides for those related domains, it became clear that extending an existing framework would be more feasible and useful. More feasible due to the complexity of the domains involved, including web application security, wireless security, cryptography, and others.
SMART HOME EXTENSIONS FOR THE OWASP ASVS
The following are proposed extensions to the OWASP Application Security Verification Standard (ASVS). They were developed as extensions to ASVS 2014, also referred to as ASVS 2.0. As discussed in the Methodology section, the requirements that make up these extensions are based on best practices from related frameworks, standards, and guidance documents. I incorporated feedback from nine industry experts in the final draft. The following sections explain how the extensions changed from the initial draft to the final draft.
A SECURITY EVALUATION OF FOUR SMART HOME HUBS
The VeraLite Smart Home Controller is produced by Vera Control, Ltd. and was released in March of 2012. Vera Control releases updates regularly and at the time of testing, the VeraLite was running the most current version of the firmware, version 1.7.541. The VeraLite supports WiFi and Z-Wave protocols. The hub itself is pictured above:
The SmartThings Hub is made by SmartThings Inc. and has been available since August 2013. Updates to the hub firmware and related smart-phone application are done on a regular basis, with updates to the hub pushed out automatically. During testing, the hub firmware was version 000.011.00705 and the Android application version was 1.7.0. The SmartThings Hub supports Wi-Fi, Z-Wave, ZigBee, and WeMo devices. The hub itself is pictured above:
The Connect Hub failed two requirements under Access Control: 4.4 and 4.16. The first is a requirement to protect against direct object references. The hub fails this requirement because it is possible, via direct object reference, to access user-interface items that are meant to be hidden. This can be seen in the screenshot below. While this failing does not appear to have any security implications in this instance, it suggests that the application designers did not consider this attack vector. If that is the case, this may be a problem with greater security implications elsewhere in the application.
RECOMMENDATIONS FOR SMART HOME HUB SECURITY
The following are my recommendations for a more secure smart home hub. Separate recommendations have been developed for end-users and hub manufacturers in the smart home arena. All of the recommendations are based on my research into existing best practices and the results of performing a security evaluation of four smart home hubs, described previously.
Evaluating the Smart Home Extensions can be done by ensuring they are not flawed, and by asking how well they provided insight into the security posture of the hubs. I tested them for flaws in two ways. First, as described in section 3.1.2, industry experts reviewed the requirements and they were then updated to reflect feedback. Second, by attempting to verify the requirements, I was able to confirm that it was possible to pass or fail a requirement. As mentioned previously, all hubs failed some requirements, and they did not all fail the same ones. Likewise, they did not all pass the same requirements. This can be seen by referring back to Table 9 in section 5.6. These results suggest that the requirements are not flawed, in that they are not impossible to pass or impossible to fail.
Source: Brigham Young University
Author: Steven A. Christiaens