behind the intelligent home furnishing, are security concerns only concerns?

Posted by fierce at 2020-03-01

With the rapid development of the Internet of things, people are about to usher in the era of Internet of things. It is the new demand that people pursue to make the family more comfortable, safe and efficient through various technologies and devices, and it is also the hot spot that the industry competes for layout. As the most common social subdivision unit, family is often the most special and reassuring place for people. The smart home field with family as the application scenario has huge market potential, and also needs to reconstruct a more intelligent and secure home environment.

The future has come, and home intelligence is just around the corner

With the rapid development of information technology, especially the Internet of things, people's life, work, learning and communication habits and ways are constantly changing, and also put forward new needs for traditional houses, smart home comes along with it, and the era of the Internet of things has begun, a smart home is close. Smart TV, smart sweeping robot, smart refrigerator, smart speaker, even smart water heater, rice cooker There have been countless fantasies that you can take a hot bath at home and control all the scenes with voice, which seems to be realized in the near future.

According to the survey of relevant institutions, the scale of China's smart home market reached 334 billion 230 million yuan in 2017, with a year-on-year growth of 24.8%. It is expected that the smart home market will maintain a compound annual growth rate of 21.4% in the next three years, and the market scale will reach 581 billion 930 million yuan by 2020. With the maturity of technical products, the further implementation of market promotion and popularization, and the gradual formation of consumer use habits, the market trend is even more ready to develop.

The development of smart home is increasingly mature and popular

With the rise of Internet of things as a national development strategy, smart home as a key application frequently appears in the central and local policies. After being written into the government's work report in 2016, smart home was upgraded from the original 9 major areas to one of the 6 key areas of application demonstration projects in early 2017.

As the embodiment of IOT under the influence of the Internet, smart home connects all kinds of home appliances, lighting, security and other devices through IOT technology, providing a variety of functions and means.

Figure 1 function diagram of smart home

In the future, the size of smart home products in the family is no longer just an island of smart products, but can be interconnected, evolvable, can connect external resources for active service of the network device, its development can be divided into three stages: single product connection, material linkage and platform integration.

Single product connection stage: each single product is connected through the transmission network, such as WiFi, Bluetooth, ZigBee, etc., and each single product can be controlled separately

Physical and material linkage stage: some products can be interconnected and integrated to realize linkage control among products;

Platform integration stage: each smart home product can realize single product interconnection and platform application and management according to unified standards.  

The design of smart home system consists of three elements: function and interconnection. The elements mainly come from people's living scene, which is the intelligence of living scene.

People's life scene needs: security, entertainment, home appliances, property, social networking, businesses, etc.

Product intelligence development needs: single product intelligence, linkage intelligence between single products, product systematic intelligence, etc.

Intelligent control development needs: mobile control, multiple control combination, intelligent induction control and AI control, etc.

According to the three elements of people's life scene, product intelligence and intelligent control, the systematization of product and architecture has been gradually formed.

Figure 2 design demand analysis model of smart home system

The intelligent home product system is increasingly rich, and the architecture system is also increasingly mature. However, the larger the number of intelligent terminals, the closer the contact with people's lives, once there is a hidden danger of information security, the greater the harm will be. These gradually permeate every corner of the family, and the equipment and network around people's food, clothing, housing, transportation and safety bring people comfort and convenience, while the hidden danger of information security becomes a concern that can not be ignored.

Behind the intelligent home furnishing, are security concerns only concerns?

In recent years, intelligence has become the outlet of the second rise of home appliance industry. All enterprises are trying to explore intelligent technology and related model changes. However, with the expansion of the base of intelligent home appliances, information security has become an important part of the intelligent development. The devices and networks distributed in every corner of the family provide new capabilities, but also increase new hidden dangers.

Fig. 3 connection frame of smart home equipment

On May 12, 2017, the wannacry bitcoin blackmail virus broke out. In just two days, the virus attacked more than 150 countries around the world, making a large number of computer files unable to operate normally after being encrypted and locked. More than 200000 people were affected, and the government, hospitals, postal systems, universities, railway stations, gas stations, self-service terminals and other fields were infringed. A month later, on June 18, CCTV revealed that The home smart camera that can be easily intruded can be cracked by purchasing a scanning app for 188 yuan. The IP address of the camera in the user's home can be remotely controlled to steal or intercept the face change of the camera. The cracked IP address is also sold in public, and the user's privacy is gone. If bitcoin virus is a threat to our work environment, then the leaked camera extends its black hand to our home life, and its harm is extremely frightening.

Coincidentally, a report released by ARS technica, a well-known US blog media, said that a new concept mode of hacker attack can easily attack and invade a large number of smart TVs of various models by eavesdropping air signals. Once the hackers control the smart TVs of end users, they can infringe the interests of users in various ways. Through remote control of smart TV, it can invade and attack other more devices in smart home network. It can also use TV camera and microphone to snoop user's privacy, turning smart TV into privacy snooping device and eavesdropper.

With the wide application of the concept of intelligence, home appliances, automobiles, access control and security, medical equipment, etc. are becoming the products of IOT and intelligence. Home cameras, smart gateways, floor sweepers with cameras, smart TVs, game consoles and other devices are easy to become "ear and eye spies". Once they are remotely intruded, they are easy to disclose the privacy picture of the user's home, and may also cause the bank card password, social software account and other information disclosure. In addition, intelligent rice cookers and microwave ovens with certain functions may become "attack spies", which may cause destructive accidents such as fire after being controlled remotely.

Smart home security exploration never stops

The discussion of smart home security should be traced back to its architecture and related links. In the reference architecture of the Internet of things (GB / T 33474-2016), from the application and data flow of the Internet of things, the entity and information content involved in the process of information exchange are defined, and the corresponding relationship between the technology of the Internet of things and the conceptual model domain is made. As a typical application field in the Internet of things, this system is also applicable to smart home.  

Figure 4 communication reference architecture of Internet of things

Figure 5 correspondence between Internet of things technology and conceptual model domain

Based on the components and systems of smart home, the networking links of smart home mainly include: sensing network, home intranet and Internet.

Figure 6 network design of smart home

The terminal device environment is indispensable for smart home, but the sensitive information of the device that the attacker can control and access at will, such as reading all the sensitive data of the running app, including the algorithm key. For the app with unprotected key, ordinary "hackers" can use the reverse tools circulated in the market to debug and analyze the code execution process, locate the key code and extract the key information. Once the algorithm key is extracted, the data of the entire app application does not have any security.

Because of the existence of black ash production, the code of streaking will bring all kinds of bad experience and danger to our life. Code security is the underlying support of other security schemes. In the face of Embedded Internet of things devices with various chip architectures and complex operating environment, traditional code security schemes will fail, and people will face more and more obvious information security risks, such as:

The terminal equipment is outside the firewall, which is very vulnerable to physical attack, malicious tampering, piracy and other risks;

Data transmission protocol is cracked, sensitive information is stolen or data packets are forged, which causes property loss to users and enterprises;

API interface is analyzed, operation data is abnormal, platform vulnerability is mined, DDoS attack, data leakage;

The core technology is stolen, sensitive data is leaked, key is extracted, device fingerprint is cheated, device location is cheated.

In order to promote the healthy and sustainable development of smart home industry, the state has been researching and launching relevant policies and guidance. In November 2016, the guide for the construction of integrated smart home standardization system jointly formulated by the Ministry of industry and information technology and the National Standards Committee clearly stated that by 2020, a standard system meeting the development needs of China's smart home industry will be initially established. Recently, AQSIQ and sac approved the release of "Internet of things smart home data and equipment coding", "Internet of things smart home" Equipment description method and general technical requirements for intelligent home automation control equipment are three national standards of intelligent home series, focusing on the five aspects of text graphic identification, data and equipment coding, equipment description, user interface and design content to define and standardize the intelligent home of the Internet of things in detail. Relevant enterprises are also actively exploring and practicing.

Smart home security, several dimensions in action

As a provider of white box code security solutions, kiwi security is also committed to the research of security technologies and solutions in this field, and forms a series of product systems around app security services and terminal application protection.

Figure 7 several dimensional security system

App security services

Including app security testing, APP penetration testing, APP source audit, etc.

For example, APP security detection products can perform code detection, protection detection, piracy detection, vulnerability scanning, authority detection and other five functions for Android App APK package, covering more than 80 risk points in total, completing static analysis and dynamic analysis detection [real machine detection] in an average of 10 minutes, generating visual online reports and offline reports in word format. Help users to carry out safety inspection before releasing app to avoid potential safety problems causing economic losses.

Terminal application protection

Including java2c source protection, source virtualization protection, APP application reinforcement, Lua source protection, so library source protection, IOS source protection, IOT security compiler, security key white box, etc.

For example, APP application reinforcement products, users only need to provide APK package to quickly integrate multiple security functions such as anti static tool analysis, DEX function encryption, so file shell, memory protection, anti debugging, anti secondary packaging, etc., to achieve multiple security protection such as DEX encryption, anti debugging, anti-theft version, etc., to avoid core code being decompiled, The request protocol is forged, the APK package is implanted with malicious code and many other security issues.

A case study

As one of the most important security devices in the family, the smart camera brings us a lot of security and convenience, but at the same time it is a double-edged sword, which also has some hidden dangers for personal privacy.

In view of the possible information security hazards of smart cameras, the product quality supervision department of AQSIQ organized the quality and safety risk monitoring of smart cameras. A total of 40 batches of samples were collected from the market, mainly in accordance with information security technology (GB / T 22239-2008) Basic requirements for information system security level protection and other standard requirements, the update of the operating system, malicious code protection, identity authentication, weak password verification, access control, information disclosure, data transmission using safe and effective encryption, local storage data protection and other items are tested. The results show that 32 batches of samples have potential quality and safety hazards.

In the face of the incident that the smart camera is frequently cracked and the privacy video is leaked, several dimensional security experts found that the risk points mainly include:

Identity authentication

At present, smart camera system widely uses password (weak password, default password) for identity authentication. As long as the password is entered correctly, the monitoring image can be accessed.

Video stealing

In the process of video transmission to video monitoring service providers, network service providers and operators through the network, illegal personnel can intercept network signals and obtain video.

Remote control

Control the camera at will by cracking the camera code and imitating the camera control signal.

Crack client app

At present, smart cameras support access control through authorized apps, but most apps are not secured and become the main entrance of hacker attacks.

Data Replay

Invade the video transmission network, control the sending sequence of camera video stream, and send fixed video image repeatedly.

Data replacement

Change the video source to replace the video.

Take the camera as the springboard

Through the upgrade function of the camera and Linux vulnerability, illegal programs are loaded, and the camera is used as a springboard to attack the Internet of things system or intranet.

Attack data center

Through the transmission network intrusion video monitoring center processing system, control the background video server and storage equipment, get more sensitive information.

Combined with the above analysis, several dimensions of security put forward a systematic strengthening proposal for the security management of smart camera system, that is, adopting front-end code security protection + network transmission security + mobile application security reinforcement, and combining code audit, penetration test, security access and behavior audit.

Figure 8 overall solution for security reinforcement of several dimension secure home smart camera

Concluding remarks

"Everything is connected and safety comes first", not to mention the family closely related to people's life. With the development of Internet and the popularization of Internet of things technology, smart home is gradually understood and accepted by people. Smart home is starting to spread and popularize with a prairie fire, bringing people a new way of life. It has a long way to go to deeply analyze and remove the hidden dangers behind intelligence and reconstruct an intelligent and safe livable space for home.