Why we need Apple’s HomeKit-enabled routers

How secure are the connected smart devices you keep in your home and at work? How much protection have you put in place, and have you even taken a minute to change your default router password?

Computer says no

The truth is many smart home device users (and those running connected devices in smart offices, enterprises, manufacturing and beyond) may not yet have taken stock of their security.

This is a particular problem when it comes to older smart devices, many of which are still in use even though a large number of them shipped with weak or non-replaceable factory default passcodes.

The proliferation of poorly protected smart devices–  in conjunction with weak router security – is a potential gold mine for hackers, who are eagerly attempting to crack into  IoT networks in order to create botnets for future use.

That’s in addition to the inevitable threat that criminals will use poorly protected IoT devices as access points to penetrate networks, harvest personal and payment data, and more.

How HomeKit-approved routers will work

Apple’s promised HomeKit-enabled routers may improve protection.

One of the many iCloud enhancements Apple is attempting to bring to market in 2019, the routers are designed to protect your accessories with a firewall at router level. You can see some screen shots of how this works here, while this report explains a little more concerning how this protection works.

In use, you’ll be able to assign each of your HomeKit devices security permissions as follows:

• Restrict to Home: HomeKit-enabled devices will only be able to speak with each other, which means you won’t be able to access them at all from outside your network.
• Automatic: Accessories can connect to the home router/hub, accessories around the home and approved services on the web.
• No Restrictions.

You set this preference individually for each HomeKit device. Apple is also introducing a HomeKit Secure Video service, which adds layers of protection around CCTV video.

Why does this matter?

To help understand the scale of the threat – and why Apple’s solution is important – reflect on new Kaspersky research that tells us attacks against smart home devices climbed by around 700% in the last 12 months.

Using a network of decoy devices, Kaspersky found that while 12 million attacks originating from 69,000 IP addresses took place in the first half of 2018, 105 million attacks from 276,000 IP addresses took place in the first half of 2019.

The attacks are not particularly sophisticated, the researchers say. In fact, hackers are trying not to be noticed, which suggests they are building botnets – presumably for future DDoS attacks.

“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying.

Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Dan Demeter, security researcher at Kaspersky Lab.

How to protect yourself

While we wait for Apple and router companies to introduce these better-protected routers, how can we protect ourselves? Kaspersky suggests users take the time to check existing security setups, and warns that the most common security combinations in the field are appallingly easy to guess and crack.

“The most common combinations by far are usually “support/support,” followed by “admin/admin” and “default/default,” they said.

Consumer and enterprise users of connected devices should take time to change default password settings to mitigate this.

There are other steps to take:

• Install the latest firmware/security upgrades for all connected devices.
• Use alphanumeric passcodes wherever you can.
• Reboot devices that seem to be acting strangely.
• Deploy firewalls and use a reputable VPN wherever possible.
• Consider creating second non-public networks for your older connected systems – that way, while those older systems may be at risk, your other devices will be less exposed.

The problem with many of these protections is they are not necessarily trivial or accessible to every user, which is how Apple’s HomeKit-approved router scheme should help people protect themselves more effectively.

When will hardware arrive?

The only problem at the moment: we don’t know when these systems will ship. I suspect unexpected challenges have emerged.

Recently announced delays in delivering some previously announced Catalina and iOS iCloud-related features (such as folder sharing in iCloud Drive) suggests tying together that last few pieces of Apple’s nascent HomeKit security model may have hit turbulence, unless the hold-up involves plans to introduce another product designed to work within such an ecosystem.

No matter what computing platforms you run, you should certainly take control of your existing smart home security set-up. Change passwords, update the firmware and make sure your routers are secure.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.