Smart devices have started to find a place in our homes for quite some time now, and it’s safe to say they’ve already become a mainstream technology. In fact, 14.2 billion connected devices will be used in 2019, and by 2021, the total number will reach 25 billion, according to Gartner. All of them are part of the huge network of Internet of Things (IoT).
Everything from lightbulbs, thermostats, and doorbells, to dishwashers and even your front door locking system, can now be designed as a smart device connected to the Internet. As we gradually transition to a future where all devices can potentially be interconnected, we must be prepared to embrace their advantages but also to be able to face the risks.
Unlike “standard” computer hacking, overriding IoT devices could result in physical damage and threaten your life. Not only that, but IoT hacks can also expose your personal data.
I know that controlling the devices from your house using your smartphone can be extremely convenient. Yet, there have been many reported cases of hacked devices. Paradoxically, gadgets that are supposed to keep you safe and make your life easier could put you in danger.
A single lightbulb could give hackers full access to your Wi-Fi credentials
Here’s how a hacker, who goes under the name LimitedResults, managed to hack a lightbulb from LIFX, a company that produces Wi-Fi connected smart lights. The hacker was able to extract the owner’s Wi-Fi login and password, among other data, in under an hour.
The light bulb can be controlled through a smartphone app and according to LimitedResults, the weak (or nonexistent) security measures on the lightbulb itself at that time made it possible for the device to be accessed.
The hacker bought one of these lightbulbs on Amazon and used a handsaw to open it and get access to its main chip. Then, the lightbulb’s chip was connected to another chip that allowed access to the bulb’s hardware using a USB port.
The Wi-Fi user and password were stored in plain text in the lightbulb’s memory, and the hacker was also able to extract the encryption key. It also seems the gadget did not have any security measures in place, meaning that anybody could control the device and write data to its memory.
LIFX was informed about these vulnerabilities and they claimed they had them fixed.
Things can get much worse
The case I’ve shown above is just a mere example of what an attacker could do, but things can get much more serious than that.
One of the worst IoT attacks in history was recorded back in October of 2016, when the company Dyn that controls much of the world’s DNS infrastructure, was hit by the Mirai botnet. Many websites, including Twitter, the Guardian, Netflix, Reddit, CNN, and many others were taken down.
Mirai is different from other botnets, which are normally comprised of computers. Mirai is mostly made up of IoT Devices, such as digital cameras and DVR players.
How did this attack work? After a computer got infected with Mirai, it continuously searched the internet for vulnerable IoT devices and used default usernames and passwords to log in, infecting them with malware. In the October 2016 attack, it was estimated that 100,000 endpoints were affected.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to:
Block malicious websites and servers from infecting your PC
Auto-update your software and close security gaps
Keep your financial and other confidential details safe
A disturbing incident happened in February 2017, when smart toys manufactured by Spiral Toys were hacked, leaving children’s voice recordings and personal information exposed. More than 800.000 users were compromised, and the details obtained included email addresses and passwords. The leaked information was stored in an online database that could easily be accessed by anyone without requiring a password. An additional 2.2 million voice recordings were stored online.
At the beginning of 2019, a homeowner reported that his smart cameras and thermostat had been hacked. When he approached his baby’s room, he heard someone talking in a deep voice to the child, and his wife also noticed that the thermostat had been turned up to 90°F (32.2°C). And just as she brought his son to the living room, a smart camera automatically turned on and someone began cursing at them. All of these devices were made by the Nest brand, which is now owned by Google. The company said its systems had not been breached and accused the customers of using “compromised passwords that were exposed to breaches on other websites”.
Are you feeling like in a Black Mirror episode yet?
IoT companies could do better when it comes to security
Many gadgets from well-known manufacturers already have security measures built in, but you can never be certain they can offer you complete protection. Also, devices produced by less popular brands and start-ups may lack the know-how or have a limited budget allocated to security.
Prevention is essential. But unfortunately, many IoT devices are not produced with security protections in mind.
Manufacturers must address security issues right from the first stages of the product design, rather than starting to think about them when the product is fully completed and ready to launch it on the market.
IoT companies need to incorporate secure coding standards and penetration testing practices into the development of these products, so they are built on solid security foundations. What’s more, software security patches constantly need to be ensured and applied by vendors.
Sadly, most IoT producers operate with a profit-first, security-last mindset, trying to reduce the costs and time to market as much as possible. This is why a certain level of skepticism and paranoia will actually be beneficial to you in the long run when it comes to choosing your smart home devices.
Regulations seem to be the only incentives for companies to better secure their IoT devices. For instance, members of the U.S. Congress introduced the IoT Cybersecurity Improvement Act of 2019, “to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.”
Biometric authentication for smart home devices could be the answer
Fingerprint and eye scanning, voice and facial recognition – these are methods of biometric authentication already used by people to obtain access to a wide range of devices and systems.
The reason is quite simple: it’s nearly impossible for two biometric pieces of data to be identical and this would increase the overall level of security. The idea is backed up by IoT experts who claim biometric authentication is vital when it comes to IoT.
How to protect your smart home
Statistics are showing that you can get hacked in less than five minutes after installing your brand new smart home device.
So here’s what you can do to stay as safe as possible.
1. Do your research before you purchase a smart home device.
I know it can be a true challenge to determine if the gadget you are planning to invest in is a good choice, especially security-wise. When you browse the internet for smart home devices the possibilities may seem endless and you won’t know where to begin.
But make sure you don’t purchase the first thing you come across. Look for reviews, try to find out if the company was involved in any security incidents and see how they handled them.
Here are a few important things you should ask yourself:
- Does the manufacturer mention anything regarding security on their website?
- Have they actually implemented any security measures?
- Do they allow you to update your devices or provide automatic patches?
2. Change the default username and password of your IoT devices
It’s estimated that 15% of IoT device owners don’t change their default passwords.
This basically means that millions of devices remain exposed since they have the same password that’s listed in the documentation manual. Hackers who want to create botnets use brute-force attacks and employ default login credentials to override these devices and add them to IoT botnet. For instance, the Mirai IoT malware only used 62 username and password combinations to create its botnet.
So, prevent becoming part of an IoT botnet chain and make sure you change your credentials. Don’t use funny and insecure passwords! Use our hacker-proof passwords guide instead to be certain your password is unbreakable.
3. Keep your smart hub secure (if you own one)
Some of you may use smart hubs, which are a central point for controlling all of your smart home equipment. And yes, if a smart hub is hacked, you guessed the answer – this means an attacker can gain access to all of the devices connected to it, and potentially steal your data and/or wreak havoc into your home.
4. Apply security updates to your smart home devices promptly.
Ideally, software patches should be applied automatically by IoT vendors. However, if you have to update the gadgets yourself, do not postpone the process. Here you can read more about why software updates are so important.
5. Use two-factor or biometric authentication when your devices allow these options.
Two-factor and biometric authentication methods are some reliable options that provide extra layers of security. Go through our guides for in-depth explanations:
6. Secure your Wi-Fi Network
Your wireless network could be the gateway to intruders in your smart home. We recommend you also read our guide to understand why this is important and learn how to increase your home network security:
A connected device represents a potential security gap in your system. Thus, wherever the opportunity arises, hackers will rarely miss the chance to interfere with your devices and data. This is why is critical for both IoT manufacturers and consumers to do their best to stay on top of cybersecurity threats.
Do you own any smart home devices? How do you keep them safe? Let us know in the comments section below.
The post Your Smart Home is Vulnerable to Cyber Attacks appeared first on Heimdal Security Blog.