The connected smart home is fast becoming the norm, wouldn’t you agree? Smart gadgets like light bulbs, smart assistant speakers, thermostats, cameras and door locks arguably make life more convenient.
That futuristic “Back To The Future” vibe can be Marty McFly cool, but are we trading convenience for our home’s security?
And what if that seemingly innocent smart baby monitor can be hacked and compromised via a quick Google search?
That’s precisely what this respected software security research team sought to study. Read on to learn more about these surprisingly simple Internet-of-Things attacks.
That smart gadget is not as smart as you think
Our dear old friends from Ben-Gurion University in Israel have, yet again, uncovered a number of serious security issues on a number of smart gadgets.
These security researchers are the same guys who regularly expose exploit techniques, not just for computers, but also unconventional hacking methods of everyday tech items such as headphones and even hard drive sounds.
This time, the Ben-Gurion University researchers tested a variety of off-the-shelf internet-of-things gadgets like baby monitors, security cameras and thermostats.
What did the researchers find out? Their results will terrify you.
Hacked with a quick search
Overall, the Ben-Gurion University researchers evaluated 16 popular smart appliance brands from high-end and low-end manufacturers.
The study included internet-connected baby monitors, smart doorbells, smart thermostats and home security cameras.
Although they found a number of ways hackers can infiltrate the gadgets, they revealed the simplest method is the most effective attack of all – entering the default factory passwords revealed via a simple web search.
Omer Schwartz, a researcher on the study, noted the simplicity of this method. “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” he warned.
This means all a hacker needs to do is scan for vulnerable gadgets across the web with an online tool like Shodan, then do a quick online search of any particular gadget’s make and model’s default password to access its web interface. Once in, an attacker can have total control of the smart gadget.
According to Dr. Yossi Oren, the lead of the study, they “were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely.”
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” he continued.
And beyond voyeurism and cruel pranks, a compromised smart gadget can also be used as a minion in malicious botnet attacks. Your gadget might be an accomplice in a Mirai-style DDOS attack without you knowing it.
Different brand. Same product.
The Ben-Gurion University researchers also discovered one peculiar thing – similar appliances even under different brands share the same default passwords!
Why is this so? It’s most likely vendors source parts, components or even whole products from the same original equipment manufacturer (OEM), typically located in Asia. Many smart appliances differ in branding and labeling but they are essentially the same product inside.
This means you can be equally vulnerable to the same password hack even if you replace your smart appliance with a different brand!
But the worst part is this. Despite numerous warnings from experts and software security advisers like your friends here at Komando.com, consumers and businesses never bother changing their smart appliance or Internet-of-Things gadget’s default password after purchase.
Millions of gadgets around the world may already have been infiltrated and abused for years without their owners knowing about it!
Got a smart device? Be smart about it
Manage it – So do yourself a favor, if you own a smart baby monitor, security camera, thermostat or video doorbell, immediately check its manual if it has a web management interface. Most of the time, you can access this interface via a regular web browser, desktop software or an app.
Change password – Once in, please change the default password immediately with something strong and unique. This will immediately protect you from the simplest “scan and search” Internet-of-Things attacks out there. Note: If you don’t have the manual or the default password, do what the researchers did – Google it!
Connect to the internet only when needed – Another way to protect your smart gadget is by connecting it to the internet only when necessary. For example, baby monitors, thermostats and security cameras can still be used effectively within your home network, without exposing them to the public.
Avoid second-hand products – Also, beware of buying second-hand smart gadgets that may already have been compromised. If you do, reset it promptly to factory default then change its password.
Avoid unknown brands – And lastly, only buy from established and reputable brands. If a security camera is from an obscure Chinese company with no reputable online presence at all, please stay away from it. The prices of these off-brand gadgets may be relatively cheaper but most of the time, you do get what you pay for.
Hopefully, more smart appliance manufacturers will focus more on their products’ software security rather than haphazardly slapping different components from different OEM manufacturers together.
Perhaps, a simple user password change prompt during the setup process will be enough to prevent most of these attacks, don’t you think?
One essential router setting change to make right now
One more thing. There’s another tweak you can do to protect your home network from Internet-of-Things attacks. Click here to find out why a Guest Network can be the security boost you need.