Home Sweet Hackable Smart Home

Reading Time: ~4 min.

We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.

According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.

It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?

They see you when you’re sleeping, know when you’re awake

Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.

The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.

Hacked by default

Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”

The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.

For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.

Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.

Secure is the new smart

Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.

“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”

Here are a few more tips for being a smart IoT consumer:

Update login info

Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.

Secure wireless networks

Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access. 

Update software and firmware

Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.

Install security software and malware protection

Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.

Invest in proven solutions

Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.

Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.

The post Home Sweet Hackable Smart Home appeared first on Webroot Threat Blog.



This is a Security Bloggers Network syndicated blog post authored by Shannon Weber. Read the original post at: Webroot Threat Blog