Internet‑Connected Homes Are Frighteningly Easy to Hack
Today, almost all electronics we use are smart home devices that connect to the Internet. They could be the doorbell, a home security camera, a baby monitor, a coffee maker, a TV, a tablet, a phone. These devices are meant to ease our lives, but they make life more difficult in one major way: They’re incredibly easy to hack, a new study finds.
Cyber researchers at Ben-Gurion University in Israel tested vulnerabilities of common home devices that operate as part of the Internet of Things, that is, any network to which a smart device that can connect. (If you’ve got an app on your smartphone that lets you remotely watch your baby at home or at school, you’ve got an IoT.) The researchers, on average, took only 30 minutes to hack the password for most devices they tested; some default passwords were even found by a quick Google Search of the brand, says researcher Omer Shwartz. Similar makes and models within a brand, and even similar products, but from different brands, often shared the same default password. Which means once a hacker accessed one smart device, Shwartz says, they could then easily access and control other similar cameras in other households that did not reset their device’s default password.
This weakness holds particularly true for cheaper devices from less established brands, the researchers say, which many people turn to, as IoT devices tend to be pricey.
As many consumers rarely change these default passwords, they could be using malicious and infected software from the first use.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” says lead author Yossi Oren, head of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
What is worse, the researchers could in turn connect to entire Wi-Fi networks simply by accessing the stored password on the previously hacked devices.
“It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he says.
Dr. Oren is urging manufacturers to stop using easy, hard-coded passwords, and to disable the devices’ ability to be accessed from remote locations. He further encourages them to make it harder to get information from shared ports, such as audio jacks, which they found to be vulnerable in previous studies. But it may be past the point of no return; such a move would, in theory, defeat the remote convenience of the Internet of Things, eliminating the very thing that has led it to be so embraced. Who wants to go back to an age where they can’t check in visually on their kids when they’re out and about?
Until that Catch-22 is resolved, the researchers are offering tips on how to use smart products safety. They encourage consumers to:
- Buy IoT devices only from reputed and trusted manufacturers and vendors.
- Avoid using second hand IoT devices, which could already be hacked and infected with malware.
- Research the device you’re interested in; if it has a default password, make sure to change it before installing it.
- Use strong passwords with a minimum of 16 characters.
- Don’t use the same password on multiple devices.
- Regularly update product software; products from reputable manufactures provide them.
- Carefully consider the benefits and risks of connecting a device to the Internet.
“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges,” says Yael Mathov, one of the researchers. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”