Off-the-shelf smart home devices are a lot less safe than you think, report says

It’s not just computers that get hacked these days — researchers from Israel’s Ben-Gurion University of the Negreb are sounding the alarm on fundamental vulnerabilities in smart home devices. A new report in the journal Smart Card Research and Advanced Applications by school’s team at the Implementation Security and Side-Channel Attacks Lab found that it’s startlingly easy to uncover serious security risks in devices like baby monitors, home security cameras, doorbells, smart locks, and thermostats.

The researchers examined 16 off-the-shelf smart home gizmos to see if they could crack them. Out of these 16 devices, they were able to find the password for 14 of them while the majority of the devices were able to be accessed within 30 minutes and attached to a botnet. They originally set out to disassemble the devices and reverse-engineer them before they discovered that the easiest method was simply to track down the default factory-set passwords.

The majority of products in the smart home market come with common, easy-to-guess default passwords that many consumers never change, opting for convenience over safety. The researchers concluded that for many manufacturers, getting smart products to market at an affordable price is more important than securing them properly.

“It only took 30 minutes to find passwords for most of the devices, and some of them were found only through a Google search of the brand,” said Omer Shwartz, one of the researchers on the project. “Once hackers can access an Internet of Things (IoT) device, like a camera, they can create an entire network of these camera models controlled separately.”

Using the devices in their laboratory, the researchers were able to play loud music through a baby monitor, turn off thermostats and other devices and turn on cameras remotely. The security implications of this study are, or should be, of great concern to the massive number of people using IoT devices without implementing better security protocols.

“You only need physical access once,” said Dr. Yossi Oren, who heads up the cybersecurity lab. “Once you buy one copy of a make and model of a camera and you attack it in your lab, you get information which will allow you to attack this make and model anywhere remotely,” he said.

In addition to uncovering these security faults, the researchers also put together a number of tips to keep smart home devices, families ,and businesses more secure. Their protocols include:

  1. Buy IoT devices only from reputable manufacturers and vendors.
  2. Avoid used IoT devices. They could already have malware installed.
  3. Research each device online to determine if it has a default password and, if so, change it before installing.
  4. Use strong passwords with a minimum of 16 letters. These are hard to crack.
  5. Multiple devices shouldn’t share the same passwords.
  6. Update software regularly.
  7. Carefully consider the benefits and risks of connecting a device to the internet.

“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative, and cheap devices reveals complex security and privacy challenges,” said researcher Yael Mathov. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”

Previous research by the Ben-Gurion University cybersecurity team has included cracking the debug port on certain IoT cameras, applying a new innovative firewall to Android phones, uncovering a unique hacking technique known as ” air-gapping,” and finding a way to transform headphones into microphones.