Don’t get bitten by your Apple home app
Posted by Andrew Mason on 05 Jun 2014
Controlling gadgets from your phone is cool, but don’t forget about security, writes Andrew Mason, co-founder and Technical Director of IT Wetherby security and compliance company RandomStorm.
On Monday, Apple announced its Smart home plans at its World Wide Developer Conference. This will basically allow people to use their Apple devices to remotely control domestic devices such as lights, garage doors and thermostats.
I love gadgets and already use lots of apps to control my home systems. My lighting is controlled by my iPhone through the Wemo and Hue apps and I use the Honeywell EvoHome system for controlling my heating and water. Even swimming pools can have their heat and humidity sensors connected and controlled by an iPhone.
My burglar alarm, internal cameras and 8 camera HD CCTV system are already controllable from my Mac, iPad, or iPhone.
My two teenage children both have Find My Friends enabled and we have used it a few times to track their phones when they have forgotten where they left them.
Based on the success of the iPhone, iPod and iPad, we expect to see a lot of people adopting the new Apple "Home" app to control appliances in their kitchens, bedrooms and living rooms.
But we must not forget about security. The more things that can be controlled by these devices, the more important it is to secure them.
All of my current home apps are secured using strong, regularly changed passwords and I also connect through a virtual private network (VPN) to my home, to control systems such as the CCTV and alarm. This is very important because, if these apps were set up with poor security, they would be easy to hack and allow criminals to gain control over these devices in my home. Two months ago it was reported that a hacker had gained access to an American couple’s baby monitor and camera and used it to watch and shout at their sleeping baby.
It is just as important to secure your home passwords as it is to secure your work passwords and the same rules appy.
There have been countless examples of company databases being breached recently. These have revealed that people are still using ridiculously simple passwords.
In the course of my company’s work as a Qualified Security Auditor, we often find that users resort to a common password such as "June2014," so that they don’t forget it. As a security professional, I would never personally use a password under 10 characters and I always use alphanumeric and symbols where the system enables this.
Never use a password based around something individual to yourself. One of the RandomStorm security engineers wrote a well-publicised tool called, CeWL that creates custom wordlists based around company or personal Web sites.
We also wrote a tool, RSMangler to take these wordlists and really expand them with all possible permutations. -http://www.randomstorm.com/rsmangler-security-tool.php
For people with lots of passwords to remember, we advise using a password manager similar to RoboForm http://www.roboform.com/ or 1Password http://atlchris.com/532/what-is-1password/. These generate strong passwords for you and automatically complete online forms so that you don’t have to keep typing in your details over and over again. The system can be used to automatically create strong alphanumeric passwords over 10 characters. Users never actually know what the passwords are and rely on the password manager technology to store the password for logins. However, you must ensure that these password managers are secured with an ultra strong password.
Using CeWL and RSMangler, we have been able to enumerate users and passwords from weak systems and then we see that these weak passwords have been reused within the organisations for logins such as domain access, or to provide access to really sensitive information contained in enterprise applications. We have used this method many times to gain access to confidential information, so that we can demonstrate vulnerabilities to our clients and explain how they can tighten up their security.
You should NEVER reuse passwords and we see this as a massive issue during security penetration tests that we undertake for businesses, so there’s no reason to think that people won’t be equally lax with their "Home" app passwords.
You should ALWAYS change default passwords used on network devices such as home routers and CCTV cameras. It’s not difficult to get a copy of the default password list for common manufacturer’s devices and it still amazes me how many times people use default credentials. That’s like leaving your back door wide open and going on holiday.
The Apple announcement has caused a lot of excitement among gadget lovers such as myself, but every internet-controlled device is like adding another door into your home. Don’t forget to lock it.
The Guardian, 2nd June 2014, "Apple unveils its Smarthome progam at WWDC 2014"
The Daily Mail, 28th April 2014, "Ohio couple’s baby monitor hacked" http://www.dailymail.co.uk/news/article-2614462/Wake-baby-The-chilling-words-couple-heard-middle-night-man-hacked-daughters-baby-monitor-WATCHING-sleep.html
Andrew Mason is a Qualified Security Assessor for PCI DSS; a Cisco CCIE, CISSP and CESG CHECK Team Leader and has authored several books on Cisco Network and Internet Security. RandomStorm is a PCI Approved Scanning Vendor and Qualified Security Assessor as well as a government CHECK scheme-approved company.