Securing Home Automation
The network components used to control homes and offices over the Internet are often simply configurable devices, running outdated software riddled with security holes and relying on obsolete communication protocols. The German Fraunhofer Institute is developing tools to secure network access to the buildings we live and work in.
Home automation or Building Automation Systems (BAS) are on an inevitable rise. BAS offers the promise of significant energy savings, reduction of the operational c...
The network components used to control homes and offices over the Internet are often simply configurable devices, running outdated software riddled with security holes and relying on obsolete communication protocols. The German Fraunhofer Institute is developing tools to secure network access to the buildings we live and work in.
Home automation or Building Automation Systems (BAS) are on an inevitable rise. BAS offers the promise of significant energy savings, reduction of the operational costs of buildings and general convenience. For the elderly concepts like Ambient Assisted Living can reduce dependence on human caretakers.
Failing security
But as these systems are being rolled out, there is a worrisome lack of attention for security Sebastian Szlósarczyk, Steffen Wendzel and their three co-authors warn in their paper on suppressing attacks and improving resilience of BAS. They present a work-in-progress security solution based on traffic analyses. Because the solution is system-independent it can enhance security without having to replace existing technology. The research is being conducted under the umbrella of the Cyber Defense Research Group of the Fraunhofer Institute FKIE in Bonn.
The authors point out several reasons why security in BAS is often weak: the first BAS were developed as stand-alone systems and therefore weren't designed with network security in mind. As the need for networked access grew connectivity features were added. Also, software seldom gets security updates because patches are simply not available, incompatible with legacy equipment and because of a general lack of security awareness among people running these systems.
System abuses
Because these IT systems do not only transfer data but also control sensors and actuators the gates to host of novel abuses swing open wide. Attackers can listen in on sensor data to deduce information about the building and its inhabitants. For instance, behavioral patterns of home owners can be sold on the Internet to burglars and other folk with dark inclinations. Since BAS are designed to control the heating and lighting systems, grant physical access by locking and unlocking doors and windows, operate elevators, smoke detectors etc., a compromised BAS can be directed to open the doors for ill-intending people, shut down critical systems or deregulate climate control.
During last year's Chaos Communication Congress two hackers showed how they gained unauthorized access to the consumer-grade home automation system HomeMatic and were able to unlock doors, disable the motion detector and mess with the heating system.
Security solution
To prevent a future in which the entire build environment is at the mercy of cybercriminals and pranksters, Szlósarczyk, Wendzel and their colleagues are working on a tool to protect BAS against remote attacks. They propose to introduce traffic normalization for BAS. Network normalization involves traffic analyses to search for suspicious packets. If a packet is detected that isn't compliant with predefined standards, traffic normalizers -also known as protocol scrubbers- actively drop or modify the suspicious packet. Traffic normalizers are being used in TCP/IP networks to defend against various attacks, the authors point out, but “traffic normalization is not avaliable for any BAS protocol.”
Because the software operates as a firewall between the Internet and the building's internal network, traffic normalization can be applied to any automated building regardless of what kind of system it's running.
The research is currently in progress. “In the next stage, we want to make the technology production-ready with an industrial firm. In no later than two years, there should be a product on the market,” Wendzel said in a Fraunhofer press release.
Image: Fraunhofer Institute
Home automation or Building Automation Systems (BAS) are on an inevitable rise. BAS offers the promise of significant energy savings, reduction of the operational costs of buildings and general convenience. For the elderly concepts like Ambient Assisted Living can reduce dependence on human caretakers.
Failing security
But as these systems are being rolled out, there is a worrisome lack of attention for security Sebastian Szlósarczyk, Steffen Wendzel and their three co-authors warn in their paper on suppressing attacks and improving resilience of BAS. They present a work-in-progress security solution based on traffic analyses. Because the solution is system-independent it can enhance security without having to replace existing technology. The research is being conducted under the umbrella of the Cyber Defense Research Group of the Fraunhofer Institute FKIE in Bonn.
The authors point out several reasons why security in BAS is often weak: the first BAS were developed as stand-alone systems and therefore weren't designed with network security in mind. As the need for networked access grew connectivity features were added. Also, software seldom gets security updates because patches are simply not available, incompatible with legacy equipment and because of a general lack of security awareness among people running these systems.
System abuses
Because these IT systems do not only transfer data but also control sensors and actuators the gates to host of novel abuses swing open wide. Attackers can listen in on sensor data to deduce information about the building and its inhabitants. For instance, behavioral patterns of home owners can be sold on the Internet to burglars and other folk with dark inclinations. Since BAS are designed to control the heating and lighting systems, grant physical access by locking and unlocking doors and windows, operate elevators, smoke detectors etc., a compromised BAS can be directed to open the doors for ill-intending people, shut down critical systems or deregulate climate control.
During last year's Chaos Communication Congress two hackers showed how they gained unauthorized access to the consumer-grade home automation system HomeMatic and were able to unlock doors, disable the motion detector and mess with the heating system.
Security solution
To prevent a future in which the entire build environment is at the mercy of cybercriminals and pranksters, Szlósarczyk, Wendzel and their colleagues are working on a tool to protect BAS against remote attacks. They propose to introduce traffic normalization for BAS. Network normalization involves traffic analyses to search for suspicious packets. If a packet is detected that isn't compliant with predefined standards, traffic normalizers -also known as protocol scrubbers- actively drop or modify the suspicious packet. Traffic normalizers are being used in TCP/IP networks to defend against various attacks, the authors point out, but “traffic normalization is not avaliable for any BAS protocol.”
Because the software operates as a firewall between the Internet and the building's internal network, traffic normalization can be applied to any automated building regardless of what kind of system it's running.
The research is currently in progress. “In the next stage, we want to make the technology production-ready with an industrial firm. In no later than two years, there should be a product on the market,” Wendzel said in a Fraunhofer press release.
Image: Fraunhofer Institute