The symbiosis of digital and physical security
The challenge of modern security reminds one of the 1955 Stargazers hit, “Close the door – they’re coming through the window”: as soon as you’ve stopped one weak point, the challenges appear somewhere else, and the challenge is getting bigger all the time. From home automation systems to major data centers, the situation seems to be the same – you must assure digital security to guarantee physical security and the other way around. A clear symbiosis.
“People are really careless,” says Paul Williams, Control4. “If I open my computer at home, I can see 12 or 13 access points, and one third of them are completely wide open.”
Apparently, password-breaking programs are now so sophisticated that a really secure password needs 55 characters, including numbers, lower and higher case letters, and characters from foreign alphabets. Oh, and it had better not make any sense.
But the old song has another relevance to modern security challenges: to secure one’s digital world, one also needs to ensure that doors and windows are also shut tight.
In other words, physical and digital security are two sides of the same coin. And now that physical security is often achieved, at least partly, by digital means, the two sides of the coin are getting more and more similar.
Secure home automation
From the physical security of major data centers to the digital automation of domestic security systems, we’re getting to the situation where, in the words of another song, “You can’t have one without the other.”
It’s Spiderlabs’ job to test security systems, physically and digitally. Spiderlab caused a stir by reporting to the 2013 Def Con and Black Hat hackers’ conferences about how they hacked in to home automation systems operating within home networks.
Daniel Crowley works for the Spiderlabs division of the Internet security and compliance consultant Trustwave. It’s Spiderlabs’ job to test security systems, physically and digitally. He and his colleagues caused a stir by reporting to the 2013 Def Con and Black Hat hackers‘ conferences about how they hacked in to home automation systems operating within home networks.
“The systems we examined are very vulnerable,” he says. “In one case, anyone on the Internet could get complete control: there was no username and no password.”
That’s bad enough if someone can remotely turn up the volume of your stereo, or perhaps flush a networked toilet (yes, they tested one of those) while you’re sitting on it, but it becomes critical if your door-locks and cameras are on the network too. There’s already been a case of someone shouting insults into the room of a 2-year-old child via a camera-enabled baby monitor, and then insulting the parents when they came to see what was happening.
Crowley wants home automation systems separated from the rest of the network. They need their own username and password, so that even if the network is hacked, the system will not be reachable: “Everything on the home automation system must be secure, even in an insecure network.”
“People are careless”
Paul Williams, Vice-President for Lighting and Comfort Products with leading home automation provider, Control4, says that that is exactly what his system is: “It sits on top of the home network with its own security.”
But he did write a blog in May 2013 in which he warned about security risks in the networks. He wanted to make sure his dealers were careful when they set up networks, even if the home automation wasn’t affected. After all, as he says, they often have to install both together, and Control4 wants them to do both jobs properly.
“If you’re building a product for everyone, you have to recognise that people aren’t skillful.” says Paul Williams, Control4 and refers to that it can be difficult for some users to set a sufficient security level for home control systems.
So: don’t allow port forwarding unless you know what you’re doing, he wrote, and don’t broadcast the SSID of your router. And, above all, don’t use obvious passwords!
“People are really careless,” says Williams. “If I open my computer at home, I can see 12 or 13 access points, and one third of them are completely wide open.”
His blog was written as a reaction to media reports about Shodan, a kind of search engine for devices. While Google looks for websites on the Internet, Shodan looks for things on the Internet, like cameras or locks, thermostats or even dumper trucks – one hacker got inside the on-board monitoring system of some dumper trucks via an easily-guessed password.
Below you can watch the CNN report that Williams is referring to where the search engine Shodan is explained. Shodan can expose poorly secured networks and network connected devices to unscrupulous individuals.
Williams commented that Control4 systems offer “the same security standards used in the banking industry,” with 256 bit SSL encryption between devices: “You can’t use sniffers to find out what’s happening.”
Crowley says that security is always a trade-off – he admitted he wasn’t wearing a bullet-proof vest when he spoke to the Future Lab.
“Security has to be in a relation to what you’re protecting,” he says, but he argues that home automation companies must make it easier for consumers to set their systems up to the highest standards.
“If you’re building a product for everyone, you have to recognise that people aren’t skillful.”
Securing servers and data centers
A company like 1&1 Hosting Germany, part of United Internet, one of Europe’s biggest Internet providers, has plenty of skilful people, and Michael d’Aguiar, Senior PR Manager says they rely on decentralised systems.
“Entry to the data center is by a security door allowing only one person in at a time” says Michael d’Aguiar, Senior PR Manager with 1&1 Hosting Germany. “There’s a card reader, a code has to be entered, the face has to be recognised and even the weight has to match.”
“There is no remote control,” he says. “You can only access the building control system, including such things as heating, within the building itself.” The 190 cameras which protect their main data center in Karlsruhe, for example, are in a closed system, and can’t be accessed from outside.
Entry to the data center is by a security door allowing only one person in at a time. There’s a card reader, a code has to be entered, the face has to be recognised and even the weight has to match. Only a few people are authorised to enter: “Not even the CEO can get in without applying for permission,” says d’Aguiar. The principle seems to be: the less access is possible, the safer the system.
A hacker can still capture the network traffic and send it again – you’d need a time stamp or one-time password to avoid that.
Crowley argues that you need to think very carefully whether you want your locks on a network: even if there is good encryption with username and password, a hacker can still capture the network traffic and send it again – you’d need a time stamp or one-time password to avoid that: “It’s a potential headache and the vast majority don’t need it.”
But, as he said, it’s a trade-off: there’s a demand for the integration of security into the digital world, and responsible home automation providers are ensuring that the risks involved are kept as low as possible.
By Michael Lawton
Paul Williams is the Vice President of Lighting & Comfort Products at Control4, a leading innovator in residential and light commercial automation systems. Prior to joining Control4, Paul held the position of Vice President of Utah Operations for SonicWall, after the company where he held the position of Senior Vice President of Operations (Phobos) was acquired by SonicWall in 2000. Before SonicWall / Phobos he held the position of Director of Operations for Harman Music Group (a Harman International company) and held other management positions during his 14 years with Harman Music Group. Paul is a seasoned professional with over 25 years of experience in operational management in high-tech industries and brings his talents, persona and lively presentation style to corporate, partner, and industry-wide projects.
Related images
