Can Smart Home Leaks Lead to Major Cyberattacks?

Smart speakers were everywhere this holiday season. According to a recent survey conducted by GetApp Lab, smart speakers were one of this year’s most wanted tech gifts.

The new Echo Dot was the most purchased item on Amazon globally over the Thanksgiving weekend, which means that more and more kids are asking Alexa to play “Kid in a Candy Store.” According to the OECD, the total number of smart devices per household is expected to jump from 10 to 50 by 2020, and Gartner predicts that 80 percent of computing tasks will take place on mobile devices by 2020.

The problem is that the proliferation of smart home and mobile devices affords cybercriminals even more entry points to hold consumer data or infrastructure hostage. Threat actors also could use consumers’ devices to create a botnet that can carry out large-scale attacks on everything from power grids to our transportation systems.

New Security Risks in Smart Home Devices

While most people aren’t carrying Alexa around town with them, not all smart devices stay in the home. With the start of 2019, employees have returned to work with their new devices in tow, and many of them are connecting their IoT gadgets to the company Wi-Fi, unknowingly causing potential liabilities for their organization.

“Smart devices can be exploited in many ways. Weak security protocols make them vulnerable to malware and easy to hack,” said Zach Capers, senior IT analyst for “Default usernames and passwords leave smart devices susceptible to botnets that can use their computing power for DDoS attacks, cryptojacking and other schemes. They’re also typically designed to collect as much data as possible, which can be particularly problematic in a business environment.”

According to a GetApp study, 58 percent of small business do not have a BYOD policy. When they are active, smart speakers record everything that is uttered in their presence, which puts businesses and their proprietary information at risk.

“We have seen instances of people conducting internet-wide scans for connected devices like webcams, baby monitors and actual examples of compromises of the devices themselves or the data it collects,” said Jacob Styczynski, lead associate at Booz Allen. “One recent example is of soldiers sharing fitness tracker data from FOBs (forward operating bases), highlighting the risk to consumers of devices oversharing information.”

Then there are the smart TVs in boardrooms, which can employ automatic content recognition (ACR), leading to excessive data collection. Also worth noting are the smartwatches and wearables on everyone’s wrists—these devices can leave a company vulnerable to location exposure and data leakage.

In a future where smart devices will be ubiquitous, who is responsible for the security of these devices?

Consumer, Employer or Manufacturer: Who’s Responsible for Security?

In a world where convenience and entertainment far outweigh concerns for security, consumers are quick to click and download with little regard for risk. At the same time, manufacturers are pressured to get products to market quickly. So where does security fit in?

Smart devices tend to be developed with a focus on features rather than security. In addition to what’s on the price tag, consumers pay for smart devices with their personal data, which has great value to threat actors.

When it comes to security, the bulk of responsibility lies with the consumer or a company’s IT department, Capers said. “Unfortunately, a lack of industry standards and firmware that is often difficult to update makes smart device security more complicated than it should to be.”

As is the case with most products, consumers expect assurances from the manufacturers. “They will increasingly hold device manufacturers accountable for security practices in their development and production processes as threat actors continue to target connected devices. Attacks against Bluetooth devices have demonstrated threat actors’ interest in these types of attacks, a trend that is only likely to expand,” Styczynski said.

“Further, as more connected devices are deployed in enterprise environments—e.g., smart facility management systems— businesses’ infrastructure security staff, who may typically focus on more traditional IT equipment, will need to incorporate these systems into their security management plans,” he added.

Securing Devices, Mitigating Risks

Consumers can do a few different things to secure their smart devices, starting with changing the default usernames and passwords to reduce the threat of brute force attacks. “Consumers should also check regularly for firmware updates and occasionally reboot their device,” Capers said.

Being aware of and trying to minimize the data collection capabilities on smart devices is another best security practice for consumers, who can also disable Bluetooth when it’s not in use or mute devices and disable data aggregation.

Enterprises can also take steps to reduce risk with network segmentation, which Capers said is the most effective way to reduce the risks of smart devices. “This ensures that sensitive business data is segregated from smart devices by hosting them on a separate or virtual network. IT can also use network traffic analysis or IoT search engine Shodan to identify vulnerable connected devices.”

“Organizations using connected devices in their enterprise environments can expand the scope of attack surface and penetration test assessments to include review of proprietary wireless protocols,” Styczynski said.

Securing smart devices is everyone’s responsibility, from consumers to enterprises and manufacturers. As such, Styczynski added, “Device manufacturers can formally incorporate security audits and proactive assessments of their products and platform delivery environments as part of the development process.”

Kacy Zurkus

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus