The recent botnet attacks have called into question the security of all our various internet of Things (ioT) devices, and rightfully so. Those attacks happened because people like you and me had routers, webcams and other gizmos in our homes that were not properly secured. Some of those security issues are fixable by general users, but many are not.
The majority of the devices that were involved in the DDoS attack on Dyn, for example, were compromised using a security hole that came from one of the device’s chipset vendors. This was something that most users wouldn’t be able to change even if they knew to try.
We Have a Problem. Is HomeKit the Solution?
A lot of discussion has centered around solving this problem going forward. Indeed, the botnet that attacked Dyn is still very much alive, functional and, in many ways, unstoppable. One of the regular chimes I hear in our Apple-centric universe is, “HomeKit is secure, it must be the answer.”
HomeKit is secure. The transmissions between your iPhone and HomeKit-enabled devices are encrypted using some of the best security that exists. Problem is, HomeKit might not be the only way to access those devices. Indeed, it’s rare that a Wi-Fi-based smart home device is built to use only HomeKit. Most devices support HomeKit amongst a sea of other access options, often including a self-branded application or web service from the device manufacturer.
HomeKit is the most secure of any of the methods we’ve seen, which therefore means all these other methods are less secure and potentially easier to hack. In addition to that, there are the aforementioned security holes that can exist in the devices’ chipsets themselves, having nothing to do with the stated purpose of the device.
Plugging the holes
An obvious question, then, is why don’t device manufacturers plug all these holes? The good news is that many do. In researching this article, we spoke with quite a few smart home device manufacturers, and all of them responsibly spend time closing off all access to their devices before meticulously opening only those ports and services that are required for proper operation. That still leaves an access target, but it limits it to something the device manufacturer is aware of and hopefully can control.
The important thing to note, though, is that HomeKit’s device specification and certification process does not require manufacturers to perform any security beyond that which relates to HomeKit access. You could theoretically have a HomeKit-enabled device that contains one or more non-HomeKit security holes. Thankfully we haven’t found one yet, but it is most certainly possible. Even in that case, though, the HomeKit transmissions and data would still be secure, and even a hacked device wouldn’t allow access to your iPhone or any of its data. HomeKit keeps all that contained.
What Can I Do To Protect My Devices?
The other thing you can do is to secure your home network. Router manufacturers are in a unique spot to help detect and even prevent these kinds of attacks but, until they’re up-to-speed with this, you need to do the work yourself.
Consider disabling UPnP or NAT-PMP on your router and using manual port forwarding instead. UPnP and NAT-PMP allow your devices to automatically request that certain ports be forwarded to them, and can often be the source of unintentional (or intentional) security holes. By manually forwarding the requested ports you’re in a position to prevent unnecessary external access to your devices in the event some malware makes its way onto one of them in the future.
Additionally, choose devices from known, trusted vendors and ask them about each device you plan to use. Check with us, too. We’re regularly testing these things and we talk about this kind of security on Mac Geek Gab all the time. Check online to see what others say. The bottom line is: do your research, and know that we’re here to help.