The Internet of Things (IoT) has made the conveniences of smart homes a reality for many, but has also raised the risk of cybersecurity threats.
This shouldn’t shock anyone. Fundamentally, anything which can connect to the internet is hackable. The security of IoT devices is constantly being improved, but consumer error, faulty technology or overlooked bugs can lead to compromised systems.
“In a desire for more convenience we’ve potentially created a vulnerability,” David Bicknell, principal analyst at GlobalData’s thematic research team, tells Verdict
Consumer advocacy group Which? conducted an illustrative experiment in 2021 that unveiled the cybersecurity risks of smart homes. The researchers began by creating a smart home. They then sat back and waited to see how long and how many hacking attempts the network would be exposed to. The result was shocking. At its peak, Which? recorded more than 12,000 attempts in one week.
Researchers have provided a plethora of similar examples over the years. They have demonstrated how bad actors can leverage vulnerabilities in everything from smart bulbs to Amazon smart speakers to gain accesses to supposedly secure systems.
Scary as those examples might be, it’s worth remembering that those white hat hackers were the good guys – they wanted to show companies the weaknesses in their defences before any customer had their privacy violated or worse. However, not all hackers that break through the cybersecurity of smart homes are that benevolent.
“[It’s] not just people hacking in their bedroom anymore, [it’s] a money-making exercise and so the level of commitment from a security point of view has to be much greater,” Bicknell says.
Cybersecurity experts weigh in on why smart homes are at risk
What makes smart home devices so risky from a cybersecurity perspective? If you ask cybersecurity experts, it comes down to the manufacturers.
“In many cases, IoT devices present such a risk because they are not designed with security in mind,” Joe Robertson, director of information security and EMEA CISO at security firm Fortinet, tells Verdict. “Many of them are headless, which means they do not have a traditional operating system or even the memory or processing power required to include security or install a security client. In addition, an alarming number of devices have passwords hard-coded into their firmware.”
Robertson argues that this has left many IoT devices unable to patch vulnerabilities when they are discovered. Additionally, he suggests that “the underlying installed software is often cobbled together from commonly available code or is untested, which means that most installed security tools can be circumvented by exploiting a wide range of known vulnerabilities.”
Cybersecurity experts also lambast connected device manufacturers for failing to set up adequate security standards. This, experts warn, which has left their devices’ digital defences with vulnerabilities laptop-wielding larcenists are just waiting to exploit.
“Most newer manufacturers seem to still believe that the internet is an inherently safe place, versus one that’s full of people trying to get their hands on information,” Pedro Canahuati, CTO of cybersecurity unicorn 1Password, warns.
This creates a problem when home owners add a new device with weak cybersecurity to their house.
“Just one compromised IoT device could signal trouble, as it serves as a gateway to all other devices (and therefore data) connected to that same network,” Mark Raeburn, managing director of Accenture Security Global, tells Verdict. “So, say you have an employee working from home and their smart TV gets hacked – the rest of the devices connected to that same network also risk being compromised. This is an issue increasingly facing businesses as hybrid working continues to be the norm for many.”
There have been numerous examples of real-life incidents. Here we list some notable examples of smart home technology being compromised in various ways.
Ring is a security company. The Amazon-owned business has developed a range of connected devices such as doorbells and security cameras to provide home owners with a sense of safety. However, a string of lawsuits has blemished Ring’s reputation, accusing the company’s smart home solutions of having lax cybersecurity.
A US lawsuit filed in 2019 alleged that several Ring customers had reported that their camera had been hacked by third parties. The hackers had gotten access to the video and two-way speaker-microphone system and used them to invade users’ privacy. The lawsuit alleged that Ring had attempted to distance itself from the hacks by blaming the victims of having failed to create strong security passwords.
Lawyers filed a second lawsuit in 2020. The second suit alleged that dozens of people had had their devices hacked. The bad actors had then used the hacked devices to harass the owners with death threats, racial slurs and blackmail.
Ring is adamant that these alleged events are behind the company and that it has taken measures to ensure the safety of its customers.
“Privacy, security and customer control are foundational to Ring,” a Ring spokesperson told Verdict. “This guides everything we do, from the hardware we design, to the practices we implement. We’re constantly evolving and evaluating our approach to privacy and security to keep our customers protected.
“We have taken strong steps to protect customers and help keep their information and accounts safe. We made two-step verification mandatory, alert customers each time a new device logs into their account, and regularly scan lists of compromised account credentials from non-Ring breaches. We offer video End-to-End encryption as an advanced encryption option to give customers even more control over who can view their videos. Most recently, we introduced CAPTCHA to our web and app logins, and began supporting authenticator apps for a more secure two-step verification experience.”
The IoT truly means that a whole range of devices can be connected, which provides hackers with more attack points. In 2017, the Washington Post reported how black hat hackers had used fish tank to break into a North American casino.
The fish tank had sensors which monitored its temperature, food, and cleanliness and fed this data to be regulated by a connected PC. By accessing this, other areas of the network could then be reached.
Darktrace, the UK cybersecurity unicorn that went public in 2021, uncovered the incident. While the firm didn’t divulge what kind of data had been compromised in the hack, it said that at least 10GB of data was sent to a device in Finland.
The incident underlines the lesson mentioned earlier: your cybersecurity is only as strong as the weakest digital defences of any device of your smart home.
TRENDnet SecurView cameras
Smart home manufacturers can brag about their cybersecurity chops as much as they want, but it’s very difficult to do so when over 700 of your camera feeds are posted on the web. Connected device manufacturer TRENDnet learned that lesson the hard way in 2012 when hackers exploited a security flaw in its SecurView cameras.
The black hats used a vulnerability that allowed anyone to access the feeds of any camera as long as they had the camera’s IP address. TRENDnet was also scrutinised when it was revealed that the company had transmitted user login credentials in clear and readable text over the internet.
The US Federal Trade Commission later accused the firm of having broken the law by misrepresenting its devices as “secure”. TRENDnet ended up settling the case. As part of the settlement, the business was forced to undergo serious security assessments of its products over the next two decades.
In 2019, a US-based couple had a nightmare 24 hours after their Nest devices were hacked. The hackers turned up the smart thermostat to sweltering heats, talked to the couple through a smart camera and played vulgar music, Fox 6 Now reported. The couple blamed Google-owned Nest, arguing that the company should’ve done more to protect their privacy from being violated this way.
However, Google essentially blamed the couple for the breach.
“Nest was not breached,” the company said,. “These reports are based on customers using compromised passwords (exposed through breaches on other websites).”
Despite the company denying any wrongdoing, Google upped the security of its Nest products in 2020 following a string of similar hacks. The beefed up security would strengthen its anti-malware protections and introduce two-factor authentication for users to verify their identities, TechCrunch reported.