As security experts often caution, anything that is online can be hacked. Nowhere is this truer than in our increasingly connected homes, where devices from refrigerators to speakers, kettles, and baby monitors can connect to the internet and communicate with other home devices and in some cases, with external servers too. The problem is, many of these smart home devices don’t come with the same level of security as other internet-connected devices such as phones and laptops.
And the more connected homes become, the more cybercriminals are turning their focus on the smart devices within those homes. In the first half of 2019, the number of attempted hacks on smart home devices – or Internet of Things (IoT) devices – was almost nine times what it was at the same time last year, with over 105 million attacks on IoT devicescoming from 276,000 unique IP addresses. (Go directly to our 11 tips for smart home security or read on for more context)
The easily hacked home
Unlike hacks targeting accounts such as email or social media, attacks on IoT devices are often unsophisticated, taking advantage of many devices’ low security. “Security is typically a secondary concern for many IoT vendors,” says Richard Stokes, CEO of Winston, which recently launched a device that scrambles and filters internet traffic at the router level. For instance, many smart home devices may send traffic using unencrypted HTTP, making interception or modification of the connection all too easy.
An even simpler target is the default passwords that IoT devices often ship with – and which are searchable online through device manufactures to aid with setup, as well as on dedicated search engines designed for hackers. “The most common attack is using default usernames and passwords to get access to the device,” says Marco Preuss, Head of Kaspersky’s Europe Research Center. Where most of us – hopefully – devise complex, unique passwords for our many online accounts (or better yet, use a password manager), many people and companies don’t update the default passwords on their smart devices. This means a quick Google search could turn up the passwords required to hack into that smart teddy or baby monitor.
The spoils of a smart home hack
Once an attacker has accessed a device, they can then remotely control the devices, or hard-code passwords into the firmware, “essentially creating a God mode account with a password that cannot be changed,” says Preuss. As well as being able to spy on homeowners – or wreak havoc through remote-controlled devices – attackers could then go on to access other devices on the home network, including smartphones and laptops that contain far more sensitive information, such as banking details and email logins.
Home devices might also be installed with malicious software that hijacks infected devices to launch mass attacks on major servers, as with the Mirai botnet malware, which brought down the internet in much of the U.S. east coast in 2016. A variant is circulating today targeting smart office equipment.
Most commonly hacked home devices
Internet routers and modems, being online 24/7, are common targets for IoT attackers. “Control of the wireless routers potentially gives an attacker access to all of your devices,” says Stokes. In the case of infected routers, attackers can also change the network settings, notes Preuss. When infected, routers will try to force users to visit attacker-controlled websites, or download malware in order to steal valuable data.
Security cameras that are backing up or communicating with external servers are also at high-risk for a simple attack. “Devices such as security cameras … tunnel through firewalls,” says Stokes. This often inadvertently provides a means for attackers to access a home network.
Smart speakers such as the Amazon Echo and Google Home can also be prime targets, as they represent additional Wi-Fi points that connect to external servers, providing another connection that may have vulnerabilities.
Even lightbulbs can be at risk, despite lacking any interface at all. Lightbulbs that can connect directly to a wireless home network (instead of a hub) – such as the Philips Hue and Lifx – sometimes come with infrared lighting options. It’s this infrared spectrum that can be exploited by hackers to gain access to the entire home network, as researchers found.
Security for smart home devices is as critical as security on laptops and smartphones – and because many are less user-friendly when it comes to customizing settings, it can take far more effort to get right.
Are you following all these home security tips?
1. Change default usernames and password
It bears repeating: Change default username and password on all IoT devices.
2. Reboot your wireless router regularly and ensure you install the latest firmware
Reboot your wireless router regularly and ensure you install the latest firmware. And if you notice any unusual activity on your smart home network, reboot immediately. “Some malicious payloads are only active during runtime without persistence mechanisms. This might help to get rid of malware as a quick first help action,” says Preuss.
3. Rename your router
When you rename your router, avoid any name associated with your name or road address. Keeping with the default name can reveal its make or model, making it easier for hackers to break its security.
4. Choose smart security cameras over traditional security camera
Choose smart security cameras instead of traditional IP cameras, from trusted brands – these are more secure and offer two-factor authentication making it harder for hackers to wrest control of the login.
5. Enable firewalls on all laptops and devices with sensitive information
Make sure you have enabled a firewall on all laptops and any other devices with sensitive information. This adds an extra layer between these devices and attackers who may have hacked into your home network. Windows and Mac laptops all come with a firewall option, as do many antivirus programs for computers and Android devices (iPhones and iPads don’t support this type of software).
6. Update the firmware of all devices regularly
Update the firmware of all devices regularly. Out-of-date firmware can contain vulnerabilities that may be uncovered by hackers trying their luck – yet not all vendors make it easy for users to update devices as needed. You should be able to find firmware updates and information on how to do it for your device brand and model by searching online – and if you don’t find any, it could be time to upgrade. “If there is no update functionality, then I highly recommend removing the device and exchanging it for one with update functionality,” says Preuss.
7. Use unique passwords for each IoT device
Use unique passwords for each IoT device. Reusing passwords makes an attacker's job much easier. You can use your password manager to manually generate and save these passwords.
8. Disable internet connectivity unless the device really needs to be accessed remotely
Ask yourself, for each device, if it really needs to be publicly accessed from the Internet – and disable connection for as many as possible. Unfortunately, in some cases – such as some internet-connected lightbulbs – restricting access to the web and other home devices is a job for manufacturers.
9. Purchase a secure router
Purchase a router with built-in antivirus or a built-in VPN to scramble all traffic – including those from sensitive devices such as medical trackers that can unintentionally reveal vital, valuable data.
10. Use a separate Wi-Fi network for your smart home devices
Connect smart home devices to their own Wi-Fi network. For advanced users – if your router supports multiple SSIDs, you can create two Wi-Fi networks, one for smartphones, tablets, and laptops where you might shop, browse and use online banking, the other for smart home devices to be sealed off from your most sensitive information.
11. Turn on two-factor authentication on your smart home device accounts
With two-factor authentication turned on, hackers can't access your account with your user name and password. They also need to provide an additional means of verifying your identity, like a one-time use PIN delivered via an app, text message or email, or a physical device that generates a passcode or a biometric device. Find out more about how to turn on two-factor authentication and our recommendations for apps and devices in our story "How to Protect Your Accounts with Two-Factor Authentication."
[Image credit: smart home concept via BigStockPhoto]