The Risk of “Credential Stuffing” to the Smart Home

"Credential stuffing" is a dangerous brute force attack to which smart home owners are particularly exposed. We need better admin. and cybersecurity practices.

596
Image of a home being protected by a password box
Illustration: © IoT For All

As technology advances and the costs of connecting electronic components to the internet decreases, the cost of having a connected “smart home” also decreases. Sensors placed throughout a house and integrated into home appliances can provide homeowners the advantages of monitoring and managing functions of the home remotely. The highest-ranking risk to a smart home has been calculated by Ali & Awad as unauthorized access to the smart home system.

Credential Stuffing

With the recent aggregation and dissemination of billions of cleartext passwords to the public, credential stuffing attacks to gain unauthorized access to smart home systems are becoming more prevalent and successful. Credential stuffing attacks to the smart home can be mitigated by security controls. Controls must be implemented to ensure authentication to the smart home services is secure. Additionally, the process and methods by which smart home users govern their usage of credentials for all accounts must be well developed with security in mind.

Understanding the Smart Home

There are three components of a smart home: indoor, outdoor and gateway. These three components need to be taken into consideration when evaluating the inherent risks. There is one component of the architecture of a smart home that can affect all three components. Access to the application layer can allow full control over all connected devices of that platform.

Two security researchers, Ali & Awad, used the operationally critical threat, asset and vulnerability evaluation (OCTAVE) framework to identify the general cybersecurity risks to smart homes as the highest risk to a smart home as unauthorized access to the smart home system.

Rehman & Manickam describe the masquerading attack as being the highest threat against unauthorized access to the smart home system. Masquerading can be security gaps in programs, bypassing the authentication mechanism or a hacker using stolen login IDs and passwords. Masquerading by using stolen login IDs and passwords found in a previously disclosed breach is called a credential stuffing attack.

The Threat of Unauthorized Access

Recently an excess of a billion usernames and associated passwords have been released and are currently circulating the internet. This aggregation of data is called the “Collection” and it poses a significant risk to smart homes. This trove of validated credentials gives hackers the ability to search almost anyone and retrieve an old but potentially currently used password. These credentials have previously been leaked in a breach and released to the internet in cleartext.

The risk of this data has been cumbersome to companies as they try to catch up and protect their users against reuse of the old passwords or variations thereof. There are many sources to substantiate that credential stuffing is an issue and password reuse is continuing to be a concerning issue facing the security industry today.

Nest, a large reputable smart home device provider owned by Google, is being applauded by the security community for proactively locking users out of their account until they change their passwords if Nest found their customer’s passwords among those that have been leaked.

How to Protect a Smart Home

While someone cannot control how well a smart home technology provider secures the authentication to the devices, there are measures a smart home user can take to add additional layers of security. A smart home user should only choose technology that offers technical security controls to protect against authorization attacks such as two-factor authentication. More providers are offering this as an option to secure accounts but are not enabling it by default.

Using two-factor authentication to your smart home services drastically reduces the risks of unauthorized access. Two-factor authentication should be enabled at all opportunities. Administrative security controls can be used to change the process that a smart home user uses credentials.

Less technical policies like never reusing the same password twice and enforcing rules to store passwords somewhere safe also reduces the risk of credential stuffing. Having a unique password for all services takes more time and is difficult to remember so Haber & Hibbert recommend a password manager as a good strategy to protect against credential stuffing.

All passwords used for smart homes should exceed the minimum complexity requirements of these services. One final way to protect smart home users from credential stuffing is to use the Google Chrome extension called Password Checkup. This recently released tool alerts whenever it sees the user using a username and password combination that has been identified as leaked in a breach.

The greatest risk identified to smart home users is unauthorized access to the smart home system. With breaches happening often and aggregated data from previous breaches circulating the internet, the greatest vulnerability to unauthorized access in the smart home is the credential stuffing attack due to the low required technical skill to execute, high success rate and increasing availability of breached data.

Combining technical security controls such as password managers, enabling two-factor authentication and Google’s Password Checkup tool along with administrative security controls can greatly reduce the risk of owning a smart home.

Policies governing the use of passwords to ensure credentials are not reused and meet complexity requirements are measures that can be taken by the end user to better protect themselves not only in smart homes but in all services that require authentication.

The smart home industry is growing as more disabled and elderly individuals are finding the value in the automation aspect of the devices enhancing their lives by promoting independence. The advantages of data analytics on smart homes are reducing the costs of home ownership as new smart devices can capitalize on maximizing the savings on variable costs in the home, such as heating and cooling.

Credential stuffing isn’t new, but this risk is becoming more prominent of an issue as breaches continue to occur.

Written by Tyler Wall.