With the increasing proliferation of smart devices in our homes, security researchers are constantly uncovering fundamental vulnerabilities in these off-the-shelf products. A new report from a team at Ben-Gurion University has revealed that many of these devices are remarkably insecure and can be compromised easily in less than 30 minutes.
"It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices," says Yossi Oren, one of the researchers on the latest report.
The team examined 16 off-the-shelf smart home devices including baby monitors, home security cameras, doorbells, and thermostats. They discovered a variety of ways hackers can compromise these devices, but disturbingly, perhaps the easiest method involved simply tracking down the default factory-set passwords.
"It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand," says Omer Shwartz, another researcher on the project. "Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely."
It may sound like a simple thing, but several studies have revealed that a significant volume of people don't bother changing default passwords. One security research company found that 15 percent of devices it came across in the field still used default values, while a survey of over 1,000 remote IT workers across the US and UK found that 46 percent of these industry professionals were still using the default password on their wireless router.
"Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products," says Oren.
The researchers suggest that while manufacturers need to secure these devices better before they reach the consumer, there are several simple things an individual can do to better protect their home devices. These include avoiding used devices that could be already planted with malware, only buying devices from reputable manufacturers, and not connecting a device to the internet unless completely necessary. Of course, using strong passwords and not sharing the same password across different devices is fundamental here too.
"We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices." says Yael Mathov, another researcher on the project.
The report can be found in the journal Smart Card Research and Advanced Applications
* unless I'm actively surfing, downloading, or streaming, my connection doesn't need to be on, * pc and gateway firewalls are locked down: nothing in, only select ports out, * I only open ports in my firewall and gateway when I actually need them, and then immediately close them when I'm done, * upnp and IPv6 are disabled in gateway and interface, * wi-fi is disabled until I actually need it, then it's disabled when I'm done, * gateway and wi-fi passwords are randomly-generated (alpha-num-spec) and are, both, changed weekly, * wi-fi strength is set to lowest level to supply service within my zone (10% - 50%), * when I go out, I power off my gateway, * cameras on phones and tablets are taped, * web-cams are disconnected until needed, * microphone cords are disconnected until needed, * phone stays in airplane mode until 'I' need to make a call, * wi-fi and bluetooth for mobile devices is disabled until needed, * to protect my IP, all connections from home use a VPN, * I never click links in emails which are unsolicited, from friends or family, from unknown senders, or in subscriptions, newsletters, or commercial offers, * I only click links in emails which I'm expecting - for example, I just signed up for an account at 'example.com' and they have sent an expected account verification email 8 seconds later, * I never, never, never click links sent to my phone - never, * I never use a mobile device to sign in to any online account, * Linux and OpenBSD are the only OSs used - never Windows, * * my fridge, freezer, washer, dryer, oven, toaster, microwave, coffee pot, bread machine, and popcorn maker do not need an internet connection - neither does my doorbell, thermostat, lights, furnace, A/C, sprinklers, blinds, or life-sized animatron of drunk Santa pissing off the side of his sleigh,
P.S.: there's dozens of other things I do for security; most notably being I never use Windows - 18 years without a virus, trojan, worm, adware, spyware, ransomware, or any other malware, and counting,
P.S.S.: there's only 3 M$ products permitted in my house: 1) white/grey wheel mouse optical (wired) (best mouse in the world), 2) Natural Ergo. KB 4000 (so comfy!!), 3) any driver disks (they make great coasters),
P.P.S.S.: I never take my phone to a restaurant - it's so peaceful to disconnect and other patrons don't want to be disturbed while eating ;o)