It is a well-known fact that smart home devices, despite being dubbed as flag-bearers of next-generation technology, fare poorly when it comes to warding off hackers and protecting consumers' privacy. Despite many proofs and revelations confirming their vulnerability, the number of such devices in use is expected to reach 75.4 bn worldwide by 2025.
Consumer firm Which? have now come up with a practical demonstration to prove how easily smart home devices can be hacked and used to snoop on their unsuspecting owners.
Smart home devices aren't just new toys that we haven't used before. They are basically advanced versions of the usual pieces of tech that grace our homes, offices and shopping centres. They now range from smart TVs to printers, Wi-Fi expanders, smart lightbulbs, fitness trackers, and modern-day routers.
Its no wonder that IoT devices are the favourite playthings of hackers and cyber-snoopers. 89% of smart healthcare devices, 82% of smart manufacturing equipment, 76% of retail and 85% of government owned or issued IoT tech have been raided successfully by hackers. Malware intrusions accounted for 49% of all attacks on IoT devices so far.
"Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices. From enforcing strong password authentication to encryption and security updates, most IoT manufacturers treat security features trivially and oftentimes are not even included in the device’s development roadmap," said Liviu Arsene, Senior E-threat Analyst at Bitdefender.
To test this theory, a Which? investigation team installed as many as 15 smart home devices in a real home. These devices included a CloudPet (a smart stuffed toy), a Virgin Media Super Hub 2 router, and a Fredi Megapix CCTV camera system.
Which? hired ethical security research firm SureCloud to hack into these devices and test their effectiveness against intrusion attempts. Not surprisingly, eight out of the fifteen devices were found to contain security vulnerabilities.
"Organisations are bound by the Data Protection Act 1998 to keep your data secure, which means they must take measures to prevent unauthorised or unlawful processing of your personal data," says Melissa Massey at Consumer Rights, Which?
Not only did SureCloud researchers hack into the smart stuffed toy to send a message to a child, but could also infiltrate the CCTV camera to watch live feed over the internet. At the same time, the researchers took only a few days to hack into the Virgin Media Super Hub 2 router which served as a gateway to all connected devices within the home. In the case of the router, the homeowners used a default password mentioned on the sticker instead of a new one, which is what happens in a majority of homes in the UK.
"More care needs to be taken when designing smart gadgets and toys, and the security and privacy of the user should not be left as afterthoughts. In the case of CloudPets, for example, some sort of authentication system could have been implemented when connecting via Bluetooth to increase security," said Which?.
Following the investigation, Virgin Media has advised approximately 864,000 owners of Super Hub 2 routers to change their password. According to Virgin Media, the number of such users is shrinking as many of them are now upgrading to Super Hub 3 that features a stronger 12-character password. Which? said that "while it took mere days for us to crack the Super Hub 2 password, using the same approach it would take 262m years to breach the Hub 3."
"Security by design requires effort most of the time; when we get a nice, new shiny device all we want to do is plug it in and expect it to work! When we are presented with instructions to change passwords and even usernames for some, it may seem a little too much effort. But if we want to stay safe, we have to make these changes," says Mark James, Security Specialist for ESET.
"A good thought process should be along the lines of “any password created by someone else, is a bad password”, he added.
Jean-Frederic Karcher, Head of Security at Maintel, believes that instead of simply adding new passwords, people should use 'new password enforcement solutions available on the market, including next-generation authentication technologies, which are able to authenticate identities in a way that is both stronger than passwords and also easier for people to use.
"There are options, including password managers, using a mobile app to enable a 2-step authentication or even a system where all you have to do to login to a computer is to tap it with your phone. This should make it significantly harder to access your account without authorisation."