Recent reports of vulnerable smart devices are revealing the irony of smart home security—namely, that it can create a false sense of assurance while actually posing new vulnerabilities. In a recent article, CSO Online reported on Comcast’s Xfinity Home Security flaw that falsely shows home doors and windows are secured when they are, in fact, open. In response to these findings, Tod Beardsley of Rapid7 told CSO, “IoT devices tend to be designed with the happy path in mind, and often don’t consider an active adversary.” The active adversaries for smart home devices, however, are not going anywhere soon. In moving forward this year, we want to look at some of the big vulnerabilities with smart home devices, and discuss possible remedies.
According to this article by Infosec Institute, “connected cameras are the automotive devices having the greatest number of security vulnerabilities” because they “don’t encrypt data and implement weak password policies.”
Although these devices are intended to provide extra assurance that one’s home is secure, they can have the exact opposite effect by allowing hackers full access to camera footage. To stay safe, we recommend researching the security history of the camera manufacturer to evaluate the level of encryption they use. We also recommend using secure Wi-Fi and unique, secure passwords. Not changing the default password allowed over 73,000 security cams to be hacked in 2014—a significant error that users still make today.
Network World published an article year last year reporting on a personal and malicious attack involving a Honeywell Wi-Fi thermostat. The attack was performed by a man who was using the thermostat to enact revenge on his ex-wife and her new partner. The man’s detailed product review explaining his revenge received a lot of engagement on Amazon, with well over 8,000 people deeming it useful.
As if hackers did not warrant enough fear, the potential for personal hacks increases the risk of these devices. In this specific case, the woman’s neglect to change the password was the main source of the hack. The need for stronger password security is again at the top of the list for mitigating smart device vulnerability.
Weak Security Infrastructure
A most obvious cause of smart device vulnerability is the lack of security infrastructure in the manufacturing of these products. As this Business Insider article points out, there is no industry security standard for IoT products, and many manufacturers are opting to do the least amount of work possible. As Colby Moore of cybersecurity firm Synack has said of IoT manufacturers, “security isn’t a concern for everybody. It’s ship now and patch later mentality.”
Consumers are then even more responsible for protecting themselves against weakly secured IoT devices. They can do so by sufficiently researching the manufacturers and only using products with minimal hacking history, and then using smart passwords to optimize security.
If these three vulnerabilities suggest anything that users might do to protect themselves, it is first to research the device manufacturers’ security reputations, and second to strengthen passwords. Weak passwords are responsible for a large portion of cyber hacks and should be regarded very seriously. Although users do not necessarily have the power to control a device’s security infrastructure, users do have control to avoid risky devices and set highly secure passwords.