Skip to main content

Off-the-shelf smart home devices are a lot less safe than you think, report says

It’s not just computers that get hacked these days — researchers from Israel’s Ben-Gurion University of the Negreb are sounding the alarm on fundamental vulnerabilities in smart home devices. A new report in the journal Smart Card Research and Advanced Applications by school’s team at the Implementation Security and Side-Channel Attacks Lab found that it’s startlingly easy to uncover serious security risks in devices like baby monitors, home security cameras, doorbells, smart locks, and thermostats.

The researchers examined 16 off-the-shelf smart home gizmos to see if they could crack them. Out of these 16 devices, they were able to find the password for 14 of them while the majority of the devices were able to be accessed within 30 minutes and attached to a botnet. They originally set out to disassemble the devices and reverse-engineer them before they discovered that the easiest method was simply to track down the default factory-set passwords.

The majority of products in the smart home market come with common, easy-to-guess default passwords that many consumers never change, opting for convenience over safety. The researchers concluded that for many manufacturers, getting smart products to market at an affordable price is more important than securing them properly.

“It only took 30 minutes to find passwords for most of the devices, and some of them were found only through a Google search of the brand,” said Omer Shwartz, one of the researchers on the project. “Once hackers can access an Internet of Things (IoT) device, like a camera, they can create an entire network of these camera models controlled separately.”

Using the devices in their laboratory, the researchers were able to play loud music through a baby monitor, turn off thermostats and other devices and turn on cameras remotely. The security implications of this study are, or should be, of great concern to the massive number of people using IoT devices without implementing better security protocols.

“You only need physical access once,” said Dr. Yossi Oren, who heads up the cybersecurity lab. “Once you buy one copy of a make and model of a camera and you attack it in your lab, you get information which will allow you to attack this make and model anywhere remotely,” he said.

In addition to uncovering these security faults, the researchers also put together a number of tips to keep smart home devices, families ,and businesses more secure. Their protocols include:

  1. Buy IoT devices only from reputable manufacturers and vendors.
  2. Avoid used IoT devices. They could already have malware installed.
  3. Research each device online to determine if it has a default password and, if so, change it before installing.
  4. Use strong passwords with a minimum of 16 letters. These are hard to crack.
  5. Multiple devices shouldn’t share the same passwords.
  6. Update software regularly.
  7. Carefully consider the benefits and risks of connecting a device to the internet.

“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative, and cheap devices reveals complex security and privacy challenges,” said researcher Yael Mathov. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”

Previous research by the Ben-Gurion University cybersecurity team has included cracking the debug port on certain IoT cameras, applying a new innovative firewall to Android phones, uncovering a unique hacking technique known as ” air-gapping,” and finding a way to transform headphones into microphones.

Editors' Recommendations

Clayton Moore
Clayton Moore’s interest in technology is deeply rooted in the work of writers like Warren Ellis, Cory Doctorow and Neal…
Why are hackers snooping on smart home security cameras? I asked an ex-hacker
Ring Stick Up Camera

One night about 20 years ago, while surfing the web on my family's Gateway 2000, Netscape Navigator slowed to a crawl. The mouse stopped responding. Even Ctrl-Alt-Delete did nothing.

Then, a Windows warning popped up. It looked ... wrong. A moment later, the screen went blank, the CD-ROM tray opened, and a chat box appeared.

Read more
After latest hack, experts say smart home security systems stink at securing data
Wyze Cam Pan Review

Another day, another smart home camera system security hack, this one affecting the Seattle-based company Wyze. First reported by the Texas-based cybersecurity firm Twelve Security and confirmed by Wyze, the hack is estimated to have affected 2.4 million customers who had their email addresses, the emails of anyone they ever shared camera access with, a list of their cameras, the last time they were on, and much more information exposed. Some customers even had their health data leaked.

“Personally, in my 10 years of [system administration] and cloud engineering, I never encountered a breach of this magnitude,” wrote Dan Ehrlich, founder  Twelve Security, in a post about the Wyze hack.

Read more
SimpliSafe knocks 50% off all smart home security alarm systems for Black Friday
simplisafe knocks off 50 on all smart home security alarm systems the foundation  1

SimpliSafe's whole-home security systems are among our favorites. SimpliSafe offers an in-depth menu of system configurations for different size homes and apartments at attractive prices for comprehensive home protection. To make the deal even sweeter, SimpliSafe knocked 50% off the prices sitewide in a sale the precedes Black Friday and Cyber Monday. This sale ends soon, so don't delay.

SimpliSafe has been in the home protection industry for more than a decade and has a full complement of sensors, with everything from window alerts, security cameras, smoke detectors, carbon monoxide sensors, and water leak sensors.

Read more