Kerry Clendinning from The Smarter Home Club has written a great post to help us understand the importance of Internet security and how critical it is in relation to home automation!
If you’re like many people getting into home automation, you are getting immersed further into technologies that you previously barely knew or cared about. You were once okay with the default settings on your router but now you are using dynamic DNS and opening up ports. Where you once only knew about apps for your phone you’re now downloading and running “scripts” as part of your home automation system. You’re editing “config” files and setting up accounts to make everything play well together. (If you’ve gone the route of using only Amazon’s Alexa or Google Home and haven’t really gotten much deeper into home automation, this article might be a bit premature and you can safely go about your business.)
It’s probably a good time to think a bit about internet security.
Following someone else’s instructions on how to open up your firewall by forwarding ports or running some downloaded script that asks you to put your Amazon password in a config file might open up some security risks you don’t realize.
I don’t intend to discourage your enthusiasm or sound too preachy here. My intent is just to give you the means to make some informed decisions. If you’ve never looked closely at the “permissions” you give an app you downloaded on your phone, then what I have to say may be of no interest. But if you’ve ever asked why a battery monitor app needs to use your camera and look at your contacts list, then you are probably “woke” enough to care…
Let’s start with firewalls, port forwarding and uPnP. Just about everyone that’s ever set up internet in their home these days has some sort of firewall, even if you don’t know it. If you are the most naive sort of consumer and internet user, your internet provider had your back here, when they sent to you or came to install an “internet modem” and “router”. Usually these devices are all in one, and probably also provide your wifi service in your house. By default there is a firewall enabled in the router and it’s likely set to very secure defaults.
A router’s job is to control the communication paths between all of the devices you connect in your home, like computers, tablets, streaming devices and wifi enabled smart home devices. Locally within your home it lets everything “see” and talk to everything else. It also controls the communication paths between those devices and the internet. It’s a sort of gatekeeper or doorman. The default settings say that any computer in your house can make a connection to any place on the internet, but won’t allow connections that originate outside of your home connect to the inside. While this doesn’t insure that you won’t choose to do something harmful, like downloading malware from a suspicious website, there’s little threat that someone outside of your house can initiate an attack on your computers with no action on your part, given your systems aren’t already compromised in some way.
So the router lets programs on your computers and phones, like your web browser, reach out to the world and do their job, while keeping anything outside from coming in. That’s probably all you’d ever want, right? Now you get into home automation and you have reasons to want to connect into your own home when you are away. You’d like to look at security cameras or turn on/off lights remotely. All of these things can still be done without any change to your firewall settings, if you use “cloud” services. In these cases, when you install something like a camera or home automation hub in your home, you’ll be asked to set up an account and register your devices through an app or a web browser. Then when you are outside your home, a mobile app on your phone will allow you to connect in a way that seems like you are passing through your firewall from outside, but it’s really an indirect connection.
When using cloud-based services, the device in your home (the camera or hub) makes a connection going out through your router–the direction that it always allows by default–to a server that the device manufacturer runs, likely at a service provider like amazon’s “AWS”. Then, when you use an app on your phone to access the device, your phone uses the manufacture’s server as a rendezvous point which can relay messages or forward data between your device and the phone app.
So far, so good, right? Your firewall is still secure, you haven’t had to open any ports, and you have all of your home automation desires fulfilled… And you have a dozen different accounts and a dozen different apps running on your phone and, aside from the specific things that your home automation hub supports, if you’ve gone that route, nothing talks to anything else. Depending on some specific details of how your devices work, you might be totally dependent on the “cloud” to the point that if your internet goes down you can’t turn on a light. Oh, and some of these devices and apps are connecting through a server in China or Russia because you found you could save a nickel if you bought a brand that you can’t pronounce but they had the features you wanted. With cloud based solutions, your information and privacy is only as secure as those providers.
If we’d never heard about a major retailer or bank getting “compromised” and letting our personal information or account details get sold to crooks, there might not be a security concern involving cloud services. But in reality, these things do happen. If you only have cameras viewing the outside of your house, it may not matter to you that those recorded images could conceivably end up “leaked.” It’s something to think about.
Home automation enthusiasts who aren’t happy with the level of integration that cloud solutions offer or have concerns about maintaining control when their internet connectivity fails, or even question the security of cloud services, might turn to a system that is based within their home for “local control”. It’s these setups with programs like “Home Assistant” that might lead down the road to port forwarding, aka opening a port through your router.
You want local control, but you still want to be able to use an app on your phone from a coffee shop to set your thermostat and turn on a light? Great, open a port on your firewall and run this program.
This is a big step and deserves some thought.
When you download and run typical programs and apps on your computers and phones, you must have some level of trust that those apps aren’t intentionally malicious. There are some checks in place on the common download sites to keep you somewhat safe from intentionally malicious software. Google, Apple and Amazon are doing their best. Now let’s say you run a game on your phone that isn’t malicious but it is poorly programmed. It uses more battery power than it should and frequently crashes. No big deal. Having that game on your phone has very little chance of opening up a hole that would allow someone to steal your bank account login stored on another app on your phone. Apple and Google have gone to great lengths to make sure that this kind of thing can’t accidentally–or intentionally–happen, by segregating the apps. You do have to hope that the banking app is well programmed, but that’s a decision that should be separate from how much you trust the game programmer.
It’s a completely different story once you open up a port on your firewall to access a home automation program from outside your home. Now you have to trust that the software programmers are neither malicious, nor sloppy. Computer security is a very specialized field and many programmers who are fine at designing a pretty user interface or making devices talk to one another don’t get all there is to know about security. This is why we hear about those compromised websites we mentioned earlier. An open port on your router is an invitation to hackers to try everything they can to send messages to the program that’s using that port to fool it into doing something it shouldn’t. With some kinds of software security problems, an outside attacker doesn’t even need to complete a login process to exploit a program and gain access.
If you choose to open a port on your firewall you are dependent on the security of the program that uses that port. If the program can be compromised, it’s likely a hacker could do more than just control the program itself. They might be able to install other software on the computer, much like when you download malware, only they do it through a back door.
There’s a thought we all have, that if something weren’t safe and everyone else is doing it, we’d know it because they’d be the first victims… Again remind yourself of retailers who have announced that hundreds of thousands of credit card numbers were stolen during the holiday shopping season and they only found out in February. Hacking is a real threat, firewalls are an important part of our personal defense and port forwarding shouldn’t be taken lightly.
One positive point I have to interject here is that some of the home automation programs you might choose are “open source,” meaning the program is available for anyone to look at as well as use. It’s fairly common among the IT community to cite that open source leads to more secure software. The idea is that you aren’t trusting a single programmer or just a few individuals on a team, but an entire worldwide community of pretty smart people that have contributed to the functionality and security of that program–and surely if there were a flaw, somebody would have noticed it.
So UPnP deserves some mention at this point. It’s a “feature” of most modern routers that says why bother the consumer with these complicated questions about firewalls and ports? Let’s have the router invite programs on the inside to open up their own outside ports through the router, with little knowledge by the consumer. I rarely take such a hard line approach about something of this sort, but all I’m going to say about UPnP is that if you don’t fully understand how it works and how to monitor what programs are using it and what ports they are opening, JUST TURN IT OFF. I’m not aware of any routers that ship with it enabled, but I haven’t upgraded my router in just about forever and I do not run stock manufacturer’s firmware (it’s open source for me, of course).
So two more topics and I’ll try to keep these brief: Scripts and passwords. The inspiration for this article came when someone on a home automation Facebook page said there was a script that would accomplish a particular feature I was considering implementing. It involved automating something related to an Amazon Echo that Alexa can’t normally do. Someone had figured out how to do just what I was contemplating and wrote a “script”. Scripts are basically just small programs. There’s nothing wrong with a script per se. Without going into a lot of detail, almost all scripts are readable, like open source, so that’s a positive thing from a security standpoint. Here’s the thing, though: Scripts are passed around like a community water bottle. I’ll modify a script and email it to a friend, he posts it on a blog, someone else makes another modification… There are perfectly fine, well-cared for and “safe” scripts that are distributed right alongside or included with mainstream open source projects, too. They usually have a little more scrutiny and I’m less likely to stop and ask myself what am I doing here.
Well, the particular script I’d been pointed to accomplished this feature I wanted in a rather direct, shall I say brute-force, way. It logs into an Amazon account through the regular web portal. Fine? Whatever? The script needed to be configured with MY amazon username and MY amazon password. To make it worse, the script’s author made no attempt to secure the password in any way. The instructions to use the script just said add your username and password to this file and went about its merry way.
Seeing passwords in what we call “plain text,” or there for anyone to see with no encryption, no tokens, no two-factor authentication is enough to make an IT professional cry.
I looked into it a little further, and it is possible, I think, to get this script to use a password secured by a “key chain” program that’s part of the OS on the server where I’d run it. This way the password wouldn’t be right there in the config file. Nevertheless, the script would still have access to the plain text password as it went through the Amazon web portal to talk to Alexa. I’d be trusting not only that the script wasn’t malicious, but also that it is secure in the handling of my Amazon authentication info. I still haven’t ventured to even try this script. If I ever do, I’m setting up a completely separate Amazon account and moving all of my home automation stuff separate from the account that holds my credit card info. Probably not going to happen.
Those are a few of my thoughts on home automation and security. Hopefully you can find your way along the path to home automation bliss while dodging the security landmines that might be waiting out there. Good luck!
SmarterHome.club is the website for our Facebook community, The Smarter Home Club – which is an umbrella for all kinds of smart home technologies – home automation, security, custom electronics, weather stations, alternative energy, you name it. DIY focused.
If you’re interested in joining the Smarter Home Club’s Facebook group, please follow this link: