Our homes are filled with an ever growing number of connected devices, but just how safe are our coffeemakers, smart meters or baby monitors from cyber-intruders?
As fear about the potential cyber-threat to such devices grows, a team of our anti-malware experts recently re-visited this topic, to explore just how vulnerable our Internet of Things (IoT) homes are. You can find the article here.
This follows up on research conducted last year by my colleague, David Jacoby.
The devices selected for this investigation were: a USB-dongle for video streaming, a smartphone-controlled IP camera, several baby monitors, a smartphone-controlled coffee maker, and a smartphone-controlled home security system. It turned out that every single one contained security vulnerabilities.
Let's start with the baby monitor camera. I think we'd all find it chilling to learn that it contains an open door to potential cyber-intrusion. In the experiment, the device actually allowed a hacker, whilst using the same network as the camera owner, to connect to the camera, watch the video output from it and even communicate through the camera itself. We found that other baby monitors allowed hackers to collect owner passwords; and the experiment showed that it was also possible for a hacker on the same network to retrieve the root password from the camera and maliciously modify the camera's firmware.
Next are the app-controlled coffeemakers. For these, it was discovered that it's not even necessary for an attacker to be on the same network as the victim. The coffeemaker sends enough unencrypted information for an attacker to discover the password for the owner's entire Wi-Fi network.
We also looked at a smartphone-controlled home security system, which was found to have vulnerabilities in the sensors used by the system. The contact sensor, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. When the door or window is opened, the magnetic field disappears, causing the sensor to send alarm messages to the system. However, if the magnetic field remains in place, no alarm is sent.
Our experts were able to use a simple magnet to replace the magnetic field of the magnet on the window. This meant they could open and close a window without setting off the alarm. The big problem with this is that it is impossible to fix it with a software update, as the issue is in the design of the home security system itself. What's more concerning is that magnetic field sensor-based devices are commonly used by multiple home security systems on the market.
So, although some vendors are clearly considering cyber-security as they develop their IoT devices, there's still a risk that a connected app-controlled device might have at least one security issue. Criminals are limited only by their ability to find such vulnerabilities, so it's vital that vendors fix every potential loophole before a product hits the shelves, no matter how small they may seem. After all, it's always more difficult to fix a problem when a device is already in our homes.
In order to help you protect your home, you can follow these three simple rules:
1. Before buying any IoT device, search the Internet for news of any vulnerability that may have been found within that device. Since IoT is now a very hot topic it is very possible that the device you are thinking about buying has already been examined by security researchers and you can find out whether any issues found in the device have been patched.
2. Although tempting, it's not always the best idea to buy the most recent products released on the market. Recently-launched devices might contain security issues that haven't yet been discovered by security researchers.
3. Try to be security conscious when buying IoT devices. When choosing a device that will collect information about your personal life and the lives of your family, like a baby monitor, it may be wise to choose the simplest model on the market. Perhaps one that is only capable of audio, without Internet connectivity. If that is not an option, see if it's possible to switch off functionality that you don't really need.