Back to news
Thinka KNX Remote Access visual

Does Remote Access compromise your KNX Home Security?

Security should be a top priority in home automation, certainly when allowing for remote access! Thinka provides secure remote access for KNX with an integrated KNX IP Gateway.

Why is security important in your smart home?

Your smart home needs to be convenient, versatile, and reliable. It also needs to be secure.

Yes, this means maintaining the security of your actual home and devices, but also your data privacy. A number of high-profile security breaches in the smart-home and IoT (Internet of Things) sphere in recent years have made security one of the top ‘must-haves’ for any smart automated home.

In one terrifying example, researchers at Ben-Gurion University revealed that it was possible to easily hack a small smart home accessory (like a light bulb) and, using this, were able to turn off the security alarm for a home. They were able to do this by making the system think the owner was home, just by accessing the lightbulb and toggling the bulb settings to ‘at home.’ The researchers tested 16 randomly-selected devices and were able to hack all of them by a methodical process of reverse-engineering.

Shockingly, although all devices were password-protected by the manufacturer, the easiest used ‘1234’ as the password, whereas a high-end baby monitor took just 2 days to crack.

It is not only about being able to prevent hackers from accessing your home, what about listening in into your private conversations. In 2019 Google and Amazon and Google were under attack when it became known that their Alexa and Google Home Voice Assistants were recording private conversations and that thousands of their employees had access to listen in.

Back to home security; a frightful research in the Netherlands discovered that 17,444 buildings with KNX systems were accessible to hackers. Although KNX systems are innately secure by design, this researcher was able to exploit weakly-protected IP gateways to gain access to the KNX system and remote control every single feature within it. We’ll explore how this happens later on, but it is clear that security should be high on our list of priorities. The security considerations will vary from system to system, but whatever home automation system you choose, security needs to be a top consideration, and all aspects of the system need to be considered.

How safe is your KNX home?

So, just how safe is your KNX home? This will depend a lot on which system you use and just how well it is set up.

Each system will only be as secure as its weakest link, so while a wired KNX system has security built into its ‘DNA’, this can be undermined by an improperly-installed IP gateway which is inadequately secured. This can happen, for example, when your integrator decides to install an IP gateway and leave it in place to provide ‘backdoor’ access (to allow remote assistance and for configuring networks remotely). KNX IP gateways can be secure, but they need to be properly configured for this by an expert.

For a wireless system (which uses radio frequency (RF), Bluetooth, or WiFi signals to communicate between devices), it is possible for a weakly-secured device (like a lightbulb) to be hijacked, and the entire system can be compromised this way. It takes a little effort from the hacker, but the fact that the signals are flying around in the air (and not contained safely in wires) means it is inherently less secure. One factor in the hack ability of many wireless devices is the fact that these sit in a lower price category. So there are loads of generic ‘compatible’ devices being churned out with little regard to security or long-term product support.

It isn’t all about the security of your home, or worrying about being burgled. Another big concern is data privacy; what happens to the data stored about you, or your home, and how are the automations processed? Where is the video feed for your cameras stored? Is it secure?  These are serious questions to consider.

The threats from individual devices

As we have seen, if a device isn’t secure enough, it could be hacked. This could enable it to be controlled by an unauthorised person, and potentially allow someone to unlock your doors, access your camera feeds, or worse. Big-brand smart home device manufacturers are very aware of these concerns, and you should expect a high level of security from approved devices. Apple, for example, has a rigorous certification program, meaning any device that is certified for its HomeKit system is fitted with a special Apple authentication chip which provides end-to-end encryption.

There is a big difference, however, between approved, ‘Certified’ devices and ‘Compatible’ devices. Many ‘compatible’ devices are made by ‘pop-up’ tech companies and ‘kickstarter’ brands that do not have the expertise, resources or stamina to see a certification process like that of Apple HomeKit through, and provide adequate security support for their products. Also, who knows how long the company will be around for? So, this is a pretty convincing argument for sticking to official or fully-certified devices.

The threats from weak data privacy

Usually each independent smart accessory will usually come with its own app, which has all the vulnerabilities of any piece of software (as well as being a pain in the ass to figure out which app is for what device). The threat here really is twofold: malicious control, and violation of data privacy. This can depend also on how the app works; it may rely on cloud processing and storage to perform tasks, in which case this needs to be authenticated, secure and encrypted. Could the remote servers be hacked? Would your information be securely encrypted? This may again depend on the reliability of the company who makes the device/app. Yet another reason to go for big, established brands that can afford a good security team.

Both Google and Amazon require smart home users to have a registered account, and all information about their home system is stored on remote servers, (along with all the automation settings). Although the servers of Google and Amazon themselves are adequately secured, there is still the possibility of information being intercepted as it travels between your home network and their servers. And even if you trust these companies to secure your data privacy, you should have the right to choose.

So what if someone can see what devices you have in your house?

As we have seen, even a KNX installation might be vulnerable if equipped with an unsecured IP gateway; this presents the real possibility of a ‘bad actor’ gaining access to your automation settings (or controlling the entire system). In theory, this could allow someone to see what devices are in your home, figure out details about your home itself (how many rooms it has, if children live there etc.), and to see what automation settings or scenes you have already made.

Collectively, this provides a window into your life: where you live, what’s in your house, when you are at home and when you are NOT at home.

5 Tips for securing your smart home

Security is a balance between safety, and being able to enjoy life and live it to the full. So, you are the one to choose a security level that suits you and your lifestyle.

Our 5 tips to take along for securing your smart home:

Tip 1 - Buy Certified Products

Ensure the smart products you bring into your home are certified products, and not products that are ‘compatible with’. As with most things in life, you get what you pay for. The lowest bidders are not necessarily the best choice, certainly not when it comes to securing what is most important to you; your family, privacy and home.

Tip 2 - Choose an established home automation standard

Think through what home automation standard you want to build your smart home upon. Established standards like Z-Wave (Wireless) or KNX (Wired) have developed security protocols like Z-Wave S2 or KNX Secure, ensuring data encryption and device authentication.

Tip 3 - Embrace yourself for Cloud Computing

In case you have smart products in your home that depend on cloud computing/processing, like Amazon Alexa or Google Home Assistant, your private data will travel the internet. Of course you have to make sure to have your account and network password protected, and make use of a VPN (Virtual Private Network) where possible. Check your smart home solutions and devices on if/how they encrypt your data, before it is exposed to the cloud.

Tip 4 - Wired versus Wireless Home Automation

The virtues of wireless home automation are quite clear; you can start small, and grow into home automation by expanding the number of smart devices gradually; you can use it in your existing environment with no need to renovate the house. In case you are kitting out your entire home with home automation, you want to consider wired home automation systems, like KNX. KNX systems are innately secure because they are hard-wired and effectively ‘air-gapped’ from the outside world, with your total home automation running locally. Next to that KNX has developed its own security standard KNX Secure

Tip 5 - Apple HomeKit

Even with a wired locally run home automation system like KNX, you do want to be able to remote control your KNX home, make use of location based automations (geofencing). With HomeKit coupled to a KNX system, you have the best of both worlds; as all critical information stays within the home, on the Apple Hub, even when installing remote control or geofencing via your iPhone. What little information that is sent out (or stored) is encrypted and anonymised. Not even Apple will know whose information it is, and it is only information that relates to the functionality.

The HomeKit system has additional security benefits as the HomeKit Certification requires smart home products to meet Apple’s high standards, and integrate a MFI chip for authentication and end-to-end encryption of data.

Once your information leaves the home, there is no guarantee how it might be intercepted, retained, or handled. This can be avoided by using a more secure system like Apple’s HomeKit.

Secure Remote Access to KNX

Why would we want to compromise a secure KNX system by offering installers remote access to KNX?

Well, home automation is all about convenience. So how convenient is it to need to wait around all day for a system integrator to come and fix or make other changes to your KNX system? For that matter, how convenient is it for the integrator – who needs to drive around the country to make home visits?

Not very convenient at all - especially when it could be diagnosed and fixed from the comfort of their own office!!! That would save money and time for you, and help your system integrator to assist more clients during the working day. For this reason, KNX system integrators like to offer remote assistance for their clients. It benefits everyone, and keeps costs low. Therefore, a KNX-IP gateway is installed.

A KNX installer needs a KNX-IP gateway for a couple of key tasks. During the configuration, all devices are added to the project file for the home using an ETS tool. The system installation and configuration is mostly done on-site, making use of a KNX IP Gateway. But in the aftermath of installation and configuration, adaptations and finetuning are needed. In these cases the IP gateway becomes useful again, as your installer can perform a remote diagnostic on the system and see if a home visit is necessary. If the problem doesn’t require a home visit, or can be fixed remotely, even better!  For this reason, integrators leave the KNX-IP gateway in place with backdoor access, for them to remotely diagnose problems (and potentially fix them too). So your installer will need a separate KNX IP Gateway when setting up or maintaining your KNX smart home.

But there is a smarter alternative to this.
Thinka KNX PRO has a built in KNX IP gateway for the KNX system, and offers remote access to KNX via ETS over VPN.

Thinka KNX PRO with built-in KNX IP Gateway

The standard Thinka HomeKit for KNX already makes it possible to change your KNX home into a truly smart home, with all the 21st century smart home automation that HomeKit has to offer. With our standard KNX HomeKit Bridge, a homeowner can take control of her KNX system via HomeKit, without the need to call a system integrator for setting up scenes or automations like geofencing.  Also with Thinka KNX connected to a KNX system, HomeKit certified products like Philips Hue and Sonos can safely be connected to the KNX system.

And, now, with the same product, you can also provide your installer KNX remote access in a secure way! Launching April 15 2021,  Thinka KNX PRO will be combining the Thinka KNX with a KNX IP Gateway and a VPN connection for secure remote access via ETS to the KNX system of your customer. Remote ETS programming or troubleshooting, and remote access to the KNX system itself is now possible in a secure way.

All the convenience, without sacrificing security or data privacy.

Secure remote access to KNX for your integrator, and all the advantages for you as a homeowner to being able to bridge a KNX system to Apple’s HomeKit.

Read more about the different levels of Secure Remote Control to KNX Thinka has to offer.

Thinka KNX PRO is available for sale as of 15 April1, 2021.