With the increasing proliferation of smart devices in our homes, security researchers are constantly uncovering fundamental vulnerabilities in these off-the-shelf products. A new report from a team at Ben-Gurion University has revealed that many of these devices are remarkably insecure and can be compromised easily in less than 30 minutes.
"It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices," says Yossi Oren, one of the researchers on the latest report.
The team examined 16 off-the-shelf smart home devices including baby monitors, home security cameras, doorbells, and thermostats. They discovered a variety of ways hackers can compromise these devices, but disturbingly, perhaps the easiest method involved simply tracking down the default factory-set passwords.
"It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand," says Omer Shwartz, another researcher on the project. "Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely."
It may sound like a simple thing, but several studies have revealed that a significant volume of people don't bother changing default passwords. One security research company found that 15 percent of devices it came across in the field still used default values, while a survey of over 1,000 remote IT workers across the US and UK found that 46 percent of these industry professionals were still using the default password on their wireless router.
"Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products," says Oren.
The researchers suggest that while manufacturers need to secure these devices better before they reach the consumer, there are several simple things an individual can do to better protect their home devices. These include avoiding used devices that could be already planted with malware, only buying devices from reputable manufacturers, and not connecting a device to the internet unless completely necessary. Of course, using strong passwords and not sharing the same password across different devices is fundamental here too.
"We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices." says Yael Mathov, another researcher on the project.
The report can be found in the journal Smart Card Research and Advanced Applications
