Smart home devices are an increasingly common fixture in American households - and the number of appliances that can get online and automate tasks around the house is growing quickly. At the recent 2018 CES technology expo, home-centric innovations included voice-controlled bathroom fixtures and Alexa-embedded security systems, while over 40% of Americans have adopted some form of smart home tech.
The types of smart appliances for the home cover a huge gamut, but the defining feature of a smart home appliance is that it can be controlled remotely, over the internet or Bluetooth. Such devices are also known as internet-of-things (IoT) devices. A connected home where you can access lights, heating, the cooker or the garage door from a single place - such as the Amazon Echo or Google Home hubs, or a dedicated device app or site - can improve security and convenience for daily tasks. But the very connectedness of IoT devices leaves them open to security risks that are beginning to unfold.
“Think of any smart home appliance as a tiny computer. If you can access or control it remotely, someone else can too,” says Chester Wisniewski, Principal Research Scientist at the security firm Sophos.
Researchers have demonstrated how hacking into a single connected device, such as a security camera or Amazon Echo, can lead to a hack of the entire home network. Last year, the Nest security system was found to have a bug that could be exploited to turn cameras on and off. Even a Bluetooth-enabled teddy bear, designed for kids to receive messages from loved ones, can be hacked and used for surveillance.
Botnets are the biggest risk
Yet the greatest security risk is often not to personal privacy. “Most of us are not being targeted by a specific criminal, therefore we are not at too high of a risk of our personal privacy being impacted. The bigger concern is when these devices are commandeered en masse,” Wisniewski says.
For example, last year, researchers found a flaw in Philips’ Hue smart lightbulbs that would have allowed attackers to infect one bulb with malware that could then spread to any other Hue bulb without 400 meters, eventually affecting all such bulbs within a city. “A brigade of compromised Wi-Fi cameras can be used to upload data at the same time and freeze a big chunk of the internet; an attacker might turn on 50,000 smart air conditioners at the same moment, taking down a part of the electrical grid,” says Wisniewski.
Multiple devices that are under the control of a hacker are referred to as a botnet. Botnets are often used to bomb a site with access requests in order to stop it working. Such distributed denial-of-service (DDOS) attacks can also be directed at infrastructure providers to affect internet service, as with the Mirai botnet attack in 2016 that brought down much of the American internet. Last year, the number of DDOS attacks rose by 91%, thanks to growing breaches of smart home devices. Researchers have since found another spread of Mirai malware that has infected over 100,000 devices within several days
“We’re monitoring about 300 botnets that are made up entirely of IoT devices. [Hackers] are crawling the internet, looking for vulnerable, connected devices,” says Alex Balan, Chief Security Researcher at Bitdefender. “This is the biggest consequence of unsecured smart home devices - a DDOS attack costs real-life money by disrupting internet service.”
Surveillance is another concern with smart devices that are capable of recording - a webcam, a security camera, a smart speaker. “We’ve discovered a brand of cameras that lets you see in people’s houses, move the camera, listen to what’s happening. Indoor cameras. There are almost 300,000 cameras worldwide with this flaw,” Balan says.
Some devices may even come with a “back door” built into their software, ostensibly a vestige from development processes that would allow access to the device - like this creepy example of a baby monitor that was hacked because it was linked to a webcam with a bug left in its firmware. “The weakest link is usually the password chosen by the consumer or a manufacturer backdoor,” Wisniewski says.
The search engine Shodan.io makes it scarily easy for hackers to find any internet-connected device - and breaching such devices is a piece of cake if users haven’t updated the default password or have chosen an easily-cracked word.
The smart home devices that pose the greatest risk
That security camera or wireless router you’ve been using for years might be one of the leading sources of vulnerabilities in your smart home network. “Devices that pose the greatest risks, are those that have been connected and then forgotten about by consumers,” says Tom Canning, Vice President of IoT and Devices at Canonical, developers of Ubuntu Core, an operating system for IoT devices. “The ability to keep these devices updated and secured is critical, but many of them have weak security, weak password solutions, or no way to locate, patch or install OS updates.”
Devices that aren’t monitored by their manufacturers for software vulnerabilities, or which don’t get timely software updates also put home networks at risk - though it’s not always easy to spot which these are until you’ve owned one for a while.
“Manufacturers should ensure there a reliable mechanism for software fixes to be rolled out - without the need for consumer intervention or special skills,” Canning says. “Often times, these smart home devices (or Internet of Things devices) are built, offered on the market and then are ignored once they hit the stores, leaving millions of potentially unpatched devices with undiscovered vulnerabilities in the hands of unsuspecting consumers, just waiting to be hacked.”
Any device that can record should also be researched online before making it part of your home network. “I'm extra careful about things that can be used to spy on me. Things with microphones and cameras in particular,” Wisniewski says. Check that such devices come from trusted manufacturers and have positive reviews.
How to secure your smart home devices
Spotting a compromised smart home device is unfortunately much more difficult than realizing when your computer or smartphone has been hacked. Where phones and computers come with built-in protections that often mean unknown access attempts are blocked or at least set off a notification, the connected home appliances are simply online and programmed to respond.
“Internet-of-things devices themselves must be acknowledged as the most critical point at which security should be considered,” Canning says. “A device that can’t be hacked doesn’t exist, there are only devices with undiscovered vulnerabilities.”
1. Change the default password on any smart home device
Five of most popular passwords (including common default passwords for many brands) can access one in 10 smart home devices - yet 15% of smart home device owners don’t bother to update passwords, perhaps due to an unwieldy interface.
2. Choose devices where software updates are pushed automatically
Out-of-date software may contain bugs that allow hackers access - and automatic software updates ensure that devices are protected as quickly as possible. “Everyone should be wary of connected devices that require manual updates,” says Canning.
3. Go for well-known brands
“Larger, well-known companies aren't necessarily more secure, but they are certainly more responsive to bug reports and more conscientious about protecting their customers,” Wisniewski says. Innovative concepts from an exciting new startup may also be more at risk to simply cease operations. Take Otto, the manufacturer of a $700 smart door lock: after four months of operations, it shut down, leaving customers with an internet-connected lock that would receive no further software updates.
4. Don’t link sensitive accounts to smart devices
Logging into your smart TV with your Facebook credentials? That could be dicey if your smart TV has a software vulnerability that allows attackers to access its login. One smart plug from the brand Edimax even requested users’ personal email addresses and passwords in the setup process, putting these details at risk in the event of a hack.
“Do not add any confidential information to a smart device unless 100% positive that device is secure,” Balan advises. “I use the Fire smart TV stick, which has my Amazon, Gmail and credit card - but I’ve personally inspected everything and I know how it can get hacked and how to defend it. It’s tricky, but users need to be very careful where they use private info like email password and credit card details.”
5. Be choosy about which devices are “smart”
“Don't buy smart devices if you don't need them. Better yet: don't connect things to the internet that don't need to be. Have a smart TV and an Xbox or PlayStation? Maybe you don't need to hook up the TV to the internet. Just watch Netflix using the app on your game console instead,” says Wisniewski.
6. Secure your home network connection
Along with changing your router password, you should also make sure your Wi-Fi network is using an encrypted WPA2-PSK connection. You can do that by entering your router address (here’s how), entering your router name and password, then heading into the settings menu and checking your wireless network or wireless security settings.
7. Get a dedicated smart home protection device
You might also consider a security solution that covers home appliances too. Bitdefender’s Box 2 ($249 on Amazon) and Norton’s Core ($279 on Amazon) are high-security routers that protect the connection between your smart home devices and the wild internet beyond.
With smart home tech and IoT devices proliferating in homes and businesses across the country, the security of these devices is as crucial as the smartphones and laptops that contain our most sensitive information, whether it’s individual privacy or the potential of these devices to be used in large-scale hacks against businesses and the very infrastructure of the internet. As Wisniewski concludes, “When thinking about security, it’s important to look beyond just the personal impact, to what it means as a member of your community and the internet as a whole.”