Your smart home is a lot less safe than you think. Your phone, your tablets, your security camera, your baby monitor – even your kettle and lightbulbs – are all now fodder for hackers.
Every device in your smart home, anything with even the smallest piece of firmware and a networking capability, can become compromised. And it’s not just about one hacker trying to target your camera to watch you making lunch. It’s now a numbers game – and if hacking enough devices becomes financially viable, that will make you a target by default.
And there are real world examples. Baby monitors have been accessed remotely, and back in 2016, hackers enslaved thousands of smart devices into a botnet as part of an orchestrated DDoS attack. Fun, eh?
According to the company behind Akita – a smart home protection device – in three years there’ll be 60 billion IoT gadgets out, each one running a different firmware, most without security built in, but all on your network and capable of interacting with your data.
Now, we’re not trying to scaremonger. But a recent report from specialists at Ben-Gurion University found dangerous flaws in 14 out of the 16 smart home devices they tested and is yet another reminder from the IT experts that things might not be as safe as we think. So we set out to find out just how real, how possible and how prevalent these kinds of threats actually are and what kind of danger smart home users are really in. It turns out it’s not all tall tales from the tabloids.
ENISA is the European Union Agency for Network and Information Security – its aim is to keep EU citizens, consumers, the public sector and private businesses safe from cyber attack.
To do that takes something of a herd mentality, because if you’re not practising safe internet usage then, quite unwittingly, you become part of the problem. You’re making hacking more financially viable and you’re giving the hackers more computing power to attack larger targets. Vangelis Ouzounis is Head of Secure Infrastructure & Services Unit within ENISA's Core Operations Department. Given this sudden explosion of connected devices in our homes, we asked if this was a cause for ENISA’s concern.
“The smart home is a sustainable trend,” said Ouzounis. “But the problem is that there are many new devices coming to the market and they don’t consider privacy or security.”
Three threats to your network
The first two threats are matters of simple home security. “Hackers can steal data and they find out the habits of the users – when they're at home, when they’re using the devices,” Ouzounis said.
The third is “to use devices as a basis to launch other kinds of attacks. Imagine that you get access to thousands or even millions of these devices and then you orchestrate them towards a given server and then you have a big attack. This was like the recent Mirai attacks – and you can run ransomware on top to get people to pay you to unlock their devices.”
And Mirai attacks are something you’re going to hear a lot more about. Directly translated as ‘the future’ in Japanese, Mirai is malware that turns networked devices running Linux into bots on a botnet, which can be controlled remotely by a hacker.
Its typical targets are wireless routers and connected cameras – not devices you’d necessarily have software to protect. A new variant of the Mirai appeared at the beginning of 2018, which targets one of the most popular 32-bit processors that’s shipped in over 1.5 billion IoT devices every year.
Even a small fraction of that represents the mother of all DDoS attacks if turned to the same server. It happened in October 2016 when there were multiple strikes on big name websites which caused several high-profile sites such as Twitter, Reddit, Netflix and Airbnb all to go down.
“Many of these cheap IoT devices have not properly implemented encryption,” said Ouzounis. “The biggest problem is that the consumer is not educated. They don’t pay attention to security and privacy and they don’t know what to ask for, and, when there is a vulnerability, patching these systems is not easy or straightforward. The normal consumer doesn’t know how to do it.”
And it’s not just about patches. A lot of IoT devices come with passwords – but did you remember to change that password when you installed your home camera?
“Lots of devices come with default passwords, people leave them and sometimes they are the same for all devices and if you can hack one you can hack all of them,” Ouzouniscontinued. “Hackers won’t invest a lot of time and money just to attack your camera, but if it’s cheap to do it because it’s a known vulnerability and it’s very easy, they might do that just to find out if you’re home or to get privacy related data – when you're in the bath, when you’re in a personal situ with your partner – they can blackmail you and ask for money. These are real situations. They’re not that far-fetched.”
The battle for your network
Making sure you’re not an easy target, then, seems key. Small wonder there’s a burgeoning trend in one-stop-shop privacy and security solutions for the smart home on their way.
Antivirus software specialist BitDefender has developed its Box hardware with the IoT security problem in mind. You can either plug it in directly to your router or use it as a super-smart home scanning router itself.
Akita and Fingbox are another two examples, fresh out of the blocks from hugely successful crowdfunding campaigns, with the latter already available and picking up plenty of positive reviews. In the case of Fingbox, it keeps the network safe by doing two things. The first is that it continuously monitors the presence of the devices. So, whenever there is a new device that has never been seen on the network, you can get an alert and you decide whether to acknowledge or block.
“Fingbox will point like a laser beam against the new device by sending a package in the network that will blind the device and not allow it to participate and communicate with other devices. It’s like a wrap around it,” explained Fingbox Chief Product Officer, Pancrazio Auteri when he spoke to The Ambient.
According to Auteri, one of the most common causes of home network vulnerability is the weak password. There’s also a problem with routers that have their passwords written on the back where anyone entering the house can just take a picture of that and pass it on.
“Many users join Fingbox for that reason. Their computer tells them there’s all sorts of devices connected to their network.”
How to fight back
So, what’s the advice from Auteri?
“Make sure that your Wi-Fi is secured with a WPA2 encryption. It sounds like a technicality but it’s really one of the biggest problems. WPA2 is the only encryption scheme that can guarantee against cracking,” he said.
“Use a password that is long. We recommend 16 characters but don’t form them with a random collection of characters like traditional recommendations. Use words linked together so that you can remember them.
“If it’s random, people sometimes write them and that becomes insecure. With three words and a number you have a very strong password. You can mix uppercase and lowercase. We say ‘camel-case’ – with a hump – with the first letter of each word in uppercase and the rest of the letters in lowercase. So LunchHorseCall27, for example.”
There are companies that seek out vulnerabilities too and they tell the manufacturers and grant them a certain time period, usually around four weeks, and if they’re not fixed by then, then the people who’ve found them will go public. The idea is to apply pressure to either get the security sorted or face getting pushed out of the market by the competition when it’s discovered that their devices are flawed and dangerous.
“Most of the manufacturers, because they outsource their software development, they have no ability to react in such a short time. They all have vulnerabilities which become very well known on the internet. You don’t have to go on the dark web to find them because they are advertised by official organisations, so it’s very easy to exploit them,” said Auteri.
Cheap Chinese smart home gizmos are a classic no-no. Not only will the software never get updated but its highly likely that their apps have no protection either. Start a video stream to your mobile phone from your knock-off camera and you could be exposing your entire network to the internet at large.
But as it turns out, the main danger of smart home attack is from something a lot more commonplace, as Auteri explains.
“We found that Windows computers are the most vulnerable because many people delay the installation of security patches for months because it’s annoying to wait for the computer to reboot. They take a virus and then the virus starts scanning all the devices on the network at home. It’s a kind of Trojan horse approach,” he said.
Even a known brand device may be vulnerable for a few weeks while the company works on a patch but, as much as that manufacturer might feel that that’s the end of the story, the job’s still not done. You still need to get your customers to download it and apply it themselves. Some IoT device companies are better at doing that others – something that’s worth bearing in mind next time you make a purchase.
“In the case of Nest, they are very diligent because they have a very good software update system. They push the update, so they don’t wait for the user to apply them. But most of the devices that we see in the market – and we have a very good visibility because Fingbox is essentially a big device inventory – come from companies that don’t have a reliable update policy and that don’t also have a good track record of delivering updates in a timely fashion.”
Thanks to the pressure applied by the competition, these companies are changing their ways but, according to Auteli, the bulk of the install base – even from the likes of Linksys and D-Link – are still transitioning to systems where software is supplied directly from the cloud.
With its insights into the performance of leading smart home brands, Fingbox is considering publishing reputation lists so that we know which smart home companies are getting security right. While that’s not available right now, thankfully Auteri had nothing bad to say about Amazon Echo or Google Home, which are currently being installed in the millions.
The bottom line here is, for the time being, to do your own homework and, of course, be vigilant. More importantly, though, it’s also a case of changing your thinking. In the past, the mindset has been very much to get antivirus and not to click on suspicious links.
Always select devices to auto-update, always choose new passwords and question why one gadget might be cheaper than another. We’re not saying you need to panic but the numbers are there. For hackers, there are more possibilities than ever before.