It’s no secret that consumer technology is getting smarter and making our lives easier and more convenient as time goes on. With the advent of the internet of things (IoT), seemingly every household appliance can connect to the internet nowadays. This ever-growing dependency on device connectivity within the home poses significant cybersecurity risks that many consumers don’t realize. Smart (Wi-Fi-enabled) / IoT devices focus on convenience and usability first. Because of this, security is often an afterthought or not thought about at all during development. Smart device manufacturers tend to focus on creating new devices rather than fixing issues with current devices. Because of this, even if a significant vulnerability with a smart device is discovered, there is an excellent chance that the manufacturer won’t provide an update to fix it. Smart device manufacturers expect you to buy their new products rather than keeping and using their old products. Andrew Laughlin and his team from Which?, set up a test home filled with smart devices and saw 12,807 unique scans/attacks against the smart home in a single week in June 2021. From January to June 2021, 1.51 billion IoT devices were breached worldwide (Cyrus, 2021).
Common Themes
Smart / IoT devices tend to have hard-coded passwords and control interfaces without user authentication. They use un-secure communication protocols such as HTTP instead of HTTPS and Telnet instead of Secure Shell (SSH) (West, n.d.). 58% of IoT cyberattacks leveraged Telnet (Cyrus, 2021). Telnet and HTTP send and receive data in cleartext (without encryption). Telnet and HTTP are very easily intercepted and read by attackers. Every cybersecurity professional knows that Telnet should be avoided at all costs in any production environment. There is no single reason to utilize Telnet today, but smart device manufacturers are still using this long-outdated protocol. This fact alone questions the authenticity and integrity of smart device manufacture's intentions. They clearly don't value their customer's privacy and security. The most common smart devices that are easily hackable are:
TVs
Security Cameras
Home assistant speakers (Amazon Alexa, Google Assistant, Apple Siri)
Lightbulbs
Thermostats
Cyber Risks
The most significant risk with smart / IoT devices is being spied on. Yes, cybercriminals can and do hack security cameras and microphones in people’s homes every day. Just because you don’t seem important to the world doesn’t mean criminals won’t attack you and your family. Unsuspecting targets are precisely what cybercriminals are looking for.
The second more subtle (but just as dangerous) risk you take when connecting smart devices to your home router is pivoting. Pivoting occurs when an attacker breaches one device and uses it to talk to other devices on the network. For example, a cybercriminal can hack into your smart bulb system and then pivot, or connect to, your smartphone, which is used to control the smart bulbs. A single hole inside your network can expose all your sensitive data to an attacker because everything on your home network is interconnected. Just because a smart device doesn’t store sensitive information doesn’t mean you shouldn’t worry about the security of that device. This is what makes smart devices so dangerous; they are often used to gain access to other targets on your home network containing more valuable information, such as a computer or smartphone.
Mitigations
The best way to prevent your smart home from being hacked is to not use smart devices at all. For every device you connect to your home router, the greater your chance of being hacked. Nowadays, this seems almost impractical as every new TV, videogame console, and security system requires internet connectivity for full functionality. The goal is to minimize your risk to acceptable levels. Acceptable levels vary from person to person, and what you value may be different from what someone else values. When it comes to cybersecurity, it's all about compromise. The more convenient things are, the less secure they are and vice versa. You need to decide how important it is to control your lights from your phone or for your thermostat to change temperatures automatically. For each modern luxury you add, your risk level increases.
If you do find that adding smart devices to your network is worth the risk, then follow these best practices:
Research the device manufacturer
Before spending your hard-earned money on a new spy device, ask yourself these questions:
How trustworthy is the company that makes this device?
What is their stance/policy on consumer privacy and security?
Do they frequently push updates to their devices?
How long will the company support the device?
Has the company suffered any sort of data breach?
How did they respond to previous data breaches?
How likely will they suffer another data breach?
What are the built-in security features of the device?
Put smart devices on the guest network
Most home routers give you the ability to set up a guest network. The purpose of a guest network is to segment your guest's devices from your devices. A guest network allows your guests to connect to the internet without them being able to connect to all the devices on your primary network. When you put your smart devices on the guest network, they can only communicate with each other and the internet. Not your phone, computer, videogame consoles, and anything else that resides on your primary network. This adds an extra layer of protection between smart devices and your valuable information. Obviously, your smartphone is usually the remote for most smart devices. Because of this, sometimes you won't be able to use a smart device on the guest network, but it's always worth a shot.
Change default credentials
Change the default username and password for every new device you add to your home network immediately. Default credentials are one of the leading causes of IoT device compromise.
Use two-factor authentication
Two-factor authentication is a bit of annoyance, but it dramatically decreases the chance of a compromise and should be used wherever possible.
Update devices frequently
Hopefully, you have smart devices that can update themselves automatically. Still, if not, it is essential to learn how to manually apply updates to them. If there are no updates for your device, consider getting a brand-new device altogether if possible.
Summary
Smart and Internet of Things (IoT) devices can dramatically improve our lives by adding convenience and luxury at the cost of privacy and security. But unfortunately, the more devices you have connected to your home network, the greater your chance of being hacked. So, when it comes to adding smart devices to your home, consider if you really need them or not. If you find that a smart device is essential for your life, be mindful of the manufacturer, the security features of the device, and how you connect and configure it within your network. IoT devices are common targets for hackers due to their insecurity and ability to communicate with other devices inside a smart home. As time goes on, more and more IoT devices will be breached, and everyone is at risk of being targeted. Being a little paranoid about your cybersecurity and privacy goes a long way.
References
Cyrus, C. (2021, September 17). IoT cyberattacks escalate in 2021, according to Kaspersky. IoT World Today. https://www.iotworldtoday.com/2021/09/17/iot-cyberattacks-escalate-in-2021-according-to-kaspersky/
Laughlin, A. (2021, July 2). How a smart home could be at risk from hackers. Which?. https://www.which.co.uk/news/article/how-the-smart-home-could-be-at-risk-from-hackers-akeR18s9eBHU
West, D. (n.d.). How to protect connected home devices and appliances from cyber attacks. IoT Security Foundation – The Global Home of IoT Cybersecurity. Retrieved May 27, 2022, from https://www.iotsecurityfoundation.org/how-to-protect-connected-home-devices-and-appliances-from-cyber-attacks/