Open Sesame

I’ve been more than mildly disdainful about biometric security systems (i.e. fingerprint readers such as the one on the Apple 5s) and the security of home automation systems in the past. I’d like to take a couple of minutes to continue that line of thought.

The reason? Apple has just been awarded a patent for a “System and method of determining location of wireless communication devices/persons for controlling/adjusting operation of devices based on the location” Say what? According to the abstract, it’s a method by which multiple servers can sense the position of a phone, tablet, badge, or other such device; the servers can coordinate their information to deduce the location of a particular person, and use that location information to automatically take actions such as turning on lights, unlocking doors, changing thermostats. Such a boon to humanity, who will be freed of the intolerable burden of flipping light switches, turning keys, and pushing buttons!

I’m not even going to start on the idiocy of awarding this patent; let’s just take it as given that the patent system is irretrievably broken at this point. Instead, let’s talk about the idiocy of the patent itself. At least with existing home automation/security systems, the user has to take an affirmative action to make something happen (in other words, they have to hit a button in an app to turn off the alarm and open the garage door). In a system using Apple’s patented technology, they just have to have their iPhone in their pocket when the drive up to the house. So now if I want to break into your house, I don’t need to hack your security system, I just need to steal your phone. In case you hadn’t heard, phone theft is right up at the top of the charts for petty crimes these days.

“But wait!” I hear you cry. “Doesn’t the phone need to be unlocked?” Nope. According to the patent, the “…devices are instructed to send… data… upon satisfaction of particular conditions. For example, a phone can transmit a detection signal each time that its communications are routed to a new cell tower”. Nothing in there about unlocking; to the contrary, in fact: nobody is going to unlock their phone every time they switch towers; chances are they don’t even know when they switch towers (I don’t, certainly, and I’ll bet significant quantities of pretzels that you don’t either.)

It gets even better worse. The patent specifically mentions using the technology to control music players and “any other device for which different types of operation are desired based on whether a person is nearby or not.” I know I always want to have the radio come on to the classic rock station when I walk into the living room — even if Maggie is napping on the couch.

Hey, I’ve got a great idea! Perhaps you’ve heard that Tesco is installing facial scanning technology to allow it to target video advertising to customers based on their age and gender. What if we combine the two technologies? We’ll put a camera in ever room and give the servers the ability to detect who’s there, even if they’re not carrying their phone. Now when I walk into the living room, if Maggie is napping on the couch, the radio doesn’t turn on! Hooray!

Of course, the wireless streams from those cameras can’t possibly be picked up outside the house. No way is anyone going to hack the highly-secure wifi signal and share the hilarious home video of me tripping on the footstool because the system was smart enough not to turn on the lights either.

Other handy features: the system can use calendar events as triggers. If it sees I’ve been invited to a party, it can assume I’m at the party location. Too bad the party sucked and I went home early. If I’m at the party, I can’t be trying to get into the house. Better trigger the alarm! It also learns from past behavior. If it normally takes 15 minutes for me to get home,* and I usually turn the oven on when I get there, it can start pre-heating the oven five minutes after I leave work (yes, our oven does take a while to pre-heat). Too bad I’m going out to dinner tonight (or, since it probably checks my location in transit to be sure I’m coming home, too bad I’m just nuking leftovers tonight.)

* Apparently Apple is not targeting this technology at its own employees. Do you know anyone in the Bay Area whose commute is 15 minutes from logging off the computer to arriving at the front door?

My favorite learned action: “If a person is likely to activate a security system every time he leaves the house, the security system… can be activated upon determination that the person has moved from inside the house to an adjacent area such as a front porch or a garage.” Because of course I want to set the alarm when I step outside in the morning to get the newspaper. Because of course, I’m old-fashioned and still read a newspaper.

Sorry, guys. I’ll stick with flipping light switches and all that primitive nonsense. If nothing else, I can use the exercise.

Home Insecurity

If there’s one thing we should have learned over the years, it’s that there’s no such thing as a secure system connected to the Internet.

Apparently we haven’t learned that lesson yet.

One of the up-and-coming trends these days is to link home automation systems to home security systems. Comcast’s XFINITY system allows you to connect your lights and thermostat. So do AT&T’s My Digital Life, ADT’s Pulse system, and the less well-known vendor’s systems.

And they also offer the ability to connect to the connected devices via the web and smartphone apps. Check the cameras from work, turn up the heat if your dog is cold, make sure your kids are home from school, and that they don’t have unauthorized guests.

They also let you arm and disarm the security system remotely. “Forgot to set the alarm? No problem! Want to turn off the alarm and turn on the lights as you walk up from the curb? Easy!”

The problem? For obvious reasons, most of the systems use standard parts (controllers, sensors, etc.) that use one of a small set of standard protocols for communication and control. Arguably the most popular is the Z-Wave wireless protocol; several presentations at the upcoming Black Hat USA and Def Con conferences will highlight vulnerabilites in Z-Wave. Worse yet, a presentation two years ago pointed out that only one device was using encrypted communication, and it was incorrectly implemented such that an eavesdropper could easily intercept the encryption keys and decrypt all of the traffic.

Cheerful thought, huh? It gets better: the latest systems even let you lock and unlock the doors. No need to carry a key any more. And now, no need for burglars to break down your door, either. Just hack the system and check the cameras to make sure nobody is home. If not, turn off the alarm, unlock the door, turn on the lights, and help yourself.

Alarm companies tell us the advantage of an alarm is that it encourages burglars to move on to a neighbor who doesn’t have an alarm. If it’s true though, and if the systems are really as vulnerable as the crackers say, it’s not going to take long before there are “one-click” security crackers similar to programs for cracking webcams. Why risk the noise of breaking a window when you can install an app on your stolen, jailbroken iPhone and walk right in?

(399 words)