Case Studies

Home open to hackers

by Mark Rowe

Vulnerable smart and ‘internet of things’ (IoT) gadgets that could leave your home open to hackers, reports the consumer advice and campaign body Which?. They set up a real home with smart gadgets – from a CCTV camera to a Bluetooth cuddly toy – and hired ethical security researchers SureCloud to hack it.

Alongside a range of hacking techniques, SureCloud ran surveillance on the home and those who lived there to gather information that could be used to breach their digital security (with their consent). Some of the devices proved harder to hack than others, but eight out of 15 were found to have a security vulnerability. In light of the investigation, Virgin is advising more than 800,000 customers with Super Hub 2s to change their password.

As for the home CCTV system, it operated over the public internet using a default administrator account without a password. Beside that camera in the test house, Which? found thousands of similar cameras available, which could let anyone watch the live feed over the internet. Which? has called on industry to take the security of internet-enabled and smart products seriously by incorporating it as a top priority from the outset.

Which? offers ‘Five ways to protect your smart home from hackers‘.

Comments

Matthias Maier, Security Evangelist at IT analytics and security software company Splunk, said: “Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce. Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected. In this example, individuals are being asked to change their passwords, but human nature tells us that it’s questionable if all of their customers will do it. As a result, it’s likely that vulnerable systems will continue to be available over an extended period of time with hackers inevitably using them for malicious purposes.”

Jon Geater, CTO, Thales e-Security, said: “Mixing consumer commodity items with the internet was never going to end well. Throw in the pace of change that we have been trained to expect by the app economy and you have a perfect storm for vulnerability. Just a few short years ago nobody would have dreamed of installing spy cameras and bugs in their homes, leaving their wallets out and open or putting unknown strangers in charge of their energy and food supply, but this is essentially what is happening by default as manufacturers rush to make home gadgets more sparkly without understanding the huge difference that comes with internet-enabling your Thing.

“But beyond hacking into a smart toy, just imagine the devastating consequences should an attacker gain control of a fleet of connected cars, or even introduce a malicious software update to the ever-growing set of connected health devices. Ransomware on your pacemaker, anyone?

“Worryingly, the level of built-in security in connected devices varies widely. Devices can be laden with security problems such as outdated firmware, unaddressed security bugs and vulnerabilities and, what’s more, IoT device vendors may employ open source software in order to accelerate products to market without understanding the security implications or the need for lifetime updates and maintenance.

“Device-makers, then, need to consider embedding ‘digital birth certificates’ into connected devices, at the time of manufacture to keep hackers at bay. Based on strong cryptographic protocols, digital birth certificates create a unique ID for each and every device, and this can prevent the introduction of unauthorised code, or unauthorised access. Once embedded, these certificates can also be useful in defending against remote attacks that may introduce malicious code or alter the purpose of a device, as the attempted update would fail the authenticity test. Until we have serious safety standards for connected code these simple but very effective measures will ensure consumers are kept safe in the connected world.”

Mark James, Security Specialist for anti-virus and internet security product company ESET, said: “As we embrace more and more IOT and come to expect the ability to connect to anything and everything, no matter where we are, it stands to reason that companies want to make things as easy as possible for the user to embrace quickly and easily. This is where it can fall apart. Security by design requires effort most of the time; when we get a nice, new shiny device all we want to do is plug it in and expect it to work! When we are presented with instructions to change passwords and even usernames for some, it may seem a little too much effort. But if we want to stay safe, we have to make these changes.

“When items are shipped from the manufacturers, they have to use a default username and password to enable anyone to configure it. We must ensure we change that password immediately, and in the best cases we should be forced to change it before we continue. A good thought process should be along the lines of “any password created by someone else, is a bad password”.”

And Cesare Garlati, chief security strategist, prpl Foundation, said: “It is good to see such a prolific consumer advocacy organisation like Which? take a stance on security. Of course, IoT security is not a problem that is going to be fixed by one single entity, it will take the industry at large to get involved to create communities and advance our knowledge of the subject matter. Developers should take note that security is an issue for consumers these days and stop hardcoding passwords in devices and making them susceptible to attack. For those concerned about the security of smart home devices – start with basic home router or home gateway best practice: 1) Regularly check for router firmware updates 2) Change default password on router 3) Configure firewall policies 4) Enable MAC filtering 5) Use guest network for guest devices 6) Use guest network for home devices 7) Disable UPnP 8) Close all ports on your firewall. More detail can be found here: https://prpl.works/smart-home-security-report/.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing