The relatively recent WikiLeaks exposure of the CIA’s CherryBlossom programme revealed just how vulnerable smart homes can be to hacking and privacy intrusions.
CherryBlossom provides details into hundreds of routers and how they can be hacked. The router has always been the weak link into the network and we’ve already seen multiple examples of vulnerabilities in many consumer routers.
If the router is hacked the smart home and all its devices are laid wide open for all sorts of mischief to be carried out. Malware, such as banking trojans, can be planted on home computers, all the network traffic can be viewed and smart devices can be remotely manipulated.
We can leave it to the imagination as to what kind of damage can be caused but we’ve already seen baby monitors and cameras hacked, heating systems tampered with and lighting systems played around with as though they are Christmas lights.
However, many of these smart devices can also be hacked directly without needing to go via a router. The blunt reality is that many smart devices are only protected by default passwords and admin credentials, and in some cases these can’t even be changed.
Millions of vulnerable devices
The Shodan search engine trawls the internet every day letting users find all sorts of computing devices such as simple web cams, routers and servers and in some cases industrial equipment that controls infrastructure whether traffic lights or power plants.
For hackers it’s a sort of El Dorado in which they can easily identify and manipulate vulnerable smart devices. Several years ago an anonymous user took control of more than 400,000 internet-connected devices using just four default passwords.
The Mirai botnet, and other similar botnets, also illustrate how easy it is to identify and control unprotected smart devices. The damage caused by Mirai was largely an inconvenience, taking down major websites like Twitter and Netflix, but at the very least it should have rung warning bells.
However, that appears not to be the case. Smart device manufacturers are still making frighteningly obvious oversights when it comes to security and many consumers are not checking the security of the products they buy.
A BullGuard survey of 2,000 UK adults revealed a third of respondents have no idea if their smart tech is secure, a quarter said their devices have no security – and half don’t know if the protection they have is stringent enough.
The trouble with standards
It’s easy to suggest that manufacturers need to tighten up on security, and of course this is true. But device standards which they could follow are seriously fractured and in many cases non-existent.
That isn’t to say standards don’t exist, they do. In fact the list of standards for IoT development can be mind-boggling, ranging from infrastructure protocols to data transport standards.
The only problem is that these standards are often not applied. And from a standard perspective the IoT industry is bedevilled by protocols competing with each other.
At a basic level smart device users should be asking whether devices provide authentication, can the username and password be changed, is customer support provided, does the device collect your data and if so why, has the manufacturer suffered any data breaches and does the device encrypt stored data?
Another thing to consider is whether the device manufacturer puts out automatic updates to the device. Some do, many don’t. If a manufacturer doesn’t supply updates it should be a red flag. Out-of-date systems are almost always vulnerable to attack and firmware updates should be a matter of course. Without any of these measures smart homes and smart devices are vulnerable to attack whether it’s a targeted hack or a privacy violation.
Interestingly, the BullGuard survey revealed that a significantly large number of potential smart device users would be receptive to security improvements. For instance six in ten respondents would be encouraged to buy additional smart devices if manufacturers did more to put consumer’s minds at ease regarding the security risks.
That said, almost half were not aware manufacturers of smart home devices release software updates that could improve the security and worryingly 35% said they do not know how to apply updates.
Choose your hack
At the moment smart homes are a relatively new concept but they are rapidly gaining ground in the US while across Europe the tendency is to add one or two devices to the home network. That said, it won’t be long before new builds include smart technologies embedded into the fabric of the building.
As consumer smart devices gain a stronger hold the hacking footprint clearly grows much bigger. And it’s inevitable that they will become targets for all shades of cyber miscreants.
There will be hackers who spy on you, hack your baby monitor and generally cause mischief. These are likely to be similar to script kiddies, young inexperienced hackers flexing their newly acquired cyber muscles.
>See also: Smart business models for the connected home
Then there will be more serious-minded hackers who exploit the vulnerabilities in connected devices to use them for large-scale network attacks, because they want the network to create a botnet for instance to launch massive DDoS attacks as we have already seen.
Then there will be the pure criminally minded who just want to steal your money, for instance, by hacking a smart device that also allows access to a desktop computer to implant malware such as banking trojans. And then there’s the very real scenario in which lives are lost, if for instance smart medical devices in the home are hacked.
Homes held to ransom
This isn’t science fiction it’s potentially real. Consider when desktop computing started to become mainstream during the 1980’s people laughed at the idea of computer viruses; it just wasn’t possible they thought. Clearly we know better today.
How long will it be before we see a smart home locked down by hackers in demand for a ransom? It’s not that far away, rather it’s a question of when than if.
Of course, if there were sweeping universal standards that governed smart devices many of these security issues would be addressed. But desktop computing has been with us for nearly 40 years and standards even in this area are still developing as technology progresses.
Technology fights back
However, that said there are answers and solutions. Advanced technologies like machine learning and artificial intelligence can help provide enterprise grade security to smart homes. When used in conjunction with cloud-based intelligent data analysis, a robust and smart security field can be thrown around smart homes.
This doesn’t have to be complex for end users. In fact, this level of protection should be just the opposite, very simple to use via smart phones apps. The alternative is smart homes around the world that are wide open to manner of cyber-attacks.
Paul Lipman, CEO, BullGuard