Is your smart home vulnerable to hackers?
▶ Could devices that claim to make our lives easier also have the potential to make them much more difficult? Rhodri Marsden investigates
It’s an unsettling experience to have your home invaded by some kind of technological poltergeist. Unusual messages spontaneously emerging from your printer. Disembodied voices coming through your security camera. Thermostats going haywire, odd videos interrupting your evening’s television viewing and doors unlocking without warning. While these occurrences are still relatively uncommon, last year saw a marked increase in hackers targeting internet-connected devices in people’s homes: from light bulbs to plant waterers, music players to central-heating systems. The consumer appeal of this kind of gadget is obvious: by hooking them up to your network, you can automate them and control them remotely – but with that convenience comes vulnerability.
In recent months, a number of well-publicised incidents have raised awareness of the problem. In November, a group of hackers in Calgary, Canada, accessed a security camera belonging to a man living 2,500 kilometres away in Arizona and spoke to him through the device to warn him that his home was insecure. One of his personal passwords had leaked on the internet, and he had used the same one for his camera. Last week, someone styling themselves as “The Hacker Giraffe” hijacked tens of thousands of printers and Chromecast devices to display messages promoting the videos of Swedish You Tuber Pew Die Pie.
While these incidents seem to be mischievous rather than malicious, they highlight a more sinister problem, according to John Shier at security software firm Sophos. “Insecure devices can become a gateway into the rest of your network,” he says. “This could dramatically impact your privacy if documents are stolen or your traffic is monitored. But the more likely scenario is one we’ve seen time and time again, where devices are hijacked to become part of a botnet – perhaps a hundred thousand strong – which is then used to attack somebody else.”
Craig Young, a researcher at cybersecurity firm Tripwire, explains that compromised devices can also present a direct risk to personal safety. “If a Chromecast device is improperly exposed to the internet,” he says, “someone could find out its physical location. Then, if they see that no one has watched TV for 24 hours, they might guess that you’re away from home.” With a predicted 20 billion so-called “Internet of Things” (IoT) devices online by 2020, the potential for this kind of crime is growing by the day. “We need to start thinking in terms of herd immunity,” Shier says.
While it’s true that many people take little interest in their own digital security, Young believes that a good deal of the blame can be laid at the doors of certain manufacturers. With the growing trend for devices to work straight out of the box, the industry-wide pursuit of a “frictionless” experience – no menus, no passwords, no hassle – can present problems. “Firms want to encourage adoption of these new technologies,” Young says. “So some of them make devices easier to use by sacrificing certain security components. They promote the idea that anything you put in your home network is safe because it’s only used by people you trust – but that doesn’t meet the reality of the modern internet.” Shier also sees security problems in budget products. “The firms who want to get in on the IoT craze will try to get to market cheaper than everybody else,” he says, “and so corners are cut.”
User-friendly devices that don’t require a password to access them present obvious problems, but devices where default factory-set passwords are never changed by the user are equally unsafe. Such devices have been attacked for years. In 2014, a Russian website began broadcasting streams from unsecured webcams and it became hugely popular – but we still haven’t wised up. A 2017 article by security company Positive Technologies estimated that the default passwords of 15 per cent of internet-connected devices have never been changed since they were unboxed. A simple Google search can reveal those default passwords, giving hackers a big headstart when looking for vulnerabilities.
As hacking methods become more sophisticated, smart devices also need regular firmware updates to stay secure – but the habit of checking for such updates hasn’t caught on, according to Young. “I don’t know about you,” he says, “but I don’t think many people are logging in to, say, their router on a regular basis to see if it needs an update. The only way somebody will do that is if they see a news story telling them that it’s being exploited.” Shier agrees. “It’s difficult to incentivise somebody to do something from a security perspective,” he says, “but when you see that someone’s webcam has been hacked, well, then it becomes real.”
The Hacker Giraffe, who perpetrated last week’s printer and Chromecast exploit, styles himself as a “white hat” hacker whose exploits are to alert consumers to poor security. “I just wanted to tell people that their devices were vulnerable,” he said in an audio post on Twitter. “It doesn’t matter how many blog posts security researchers write. No one cared, no one thought about it. But all it took was someone like me. The number of printers exposed went down, people started protecting their stuff. I’m glad.” But having received a number of threatening messages in the past few days, he has curtailed his activities and deleted almost all of his online accounts. “I definitely don’t support hackers using people’s devices [in this way],” Young says, “but I can understand where they’re coming from.”
The problem evidently can’t be solved by public-spirited hacking alone, and Shier believes that governments will soon start to take action. “I think they will provide incentives to companies by drawing up a set of guidelines,” he says, “and if a product meets all of them, then they’ll have the opportunity to put a gold star on the box [as an assurance of quality], so that it stands out from the others.” This would certainly be a step in the right direction, but little progress is being made on agreeing an international set of guidelines for the security of baby monitors, fridges, smart kettles and home hubs. For the time being, it’s down to us to recognise that devices that claim to make our lives easier also have the potential to make them much more difficult.