Your living room is vulnerable to cyber attacks

A Kaspersky Labs researcher hacked his own home and found a number of serious security concerns.

At the Black Hat security conference in Las Vegas earlier this month, researchers demonstrated how a Nest thermostat can be hacked, to show how easily connected appliances--the household technologies that make up the Internet of Things--can be compromised. When you look beyond the demo's hyperbolic headlines, it turns out the hack requires physical access to the Nest device, but the questions remains, "How vulnerable is IoT?"

To find out, David Jacoby, a security researcher with Kaspersky Lab, hacked his own living room.

In a blog post detailing the exercise, Jacoby describes the array of connected devices in his home. He has two different NAS (network-attached storage) units, a smart TV, satellite receiver, printer, and the router from his Internet provider. Aside from the NAS units, it's all technology you can find in just about any house.

Jacoby identified 14 vulnerabilities just in the two NAS units, one in the smart TV, and several concerning issues with his Internet router. He found remote code execution flaws and weak passwords on the NAS devices, a potential for a man-in-the-middle attack on unencrypted traffic between the smart TV and the TV vendor's servers, and hidden backdoors in the router designed to provide the Internet provider support personnel to remotely access any device on the private network.

The results are concerning. It took Jacoby less than 20 minutes to find and verify extremely serious vulnerabilities that expose his home to significant risk. He explained, "Individuals and also companies need to understand the security risks around connected devices. We also need to keep in mind that our information is not secure just because we have a strong password, and that there are a lot of things that we cannot control."

Unfortunately, securing IoT devices is a bigger challenge in many cases than patching and securing traditional computing devices. Many IoT technologies lack any sort of direct user interface, so you are dependent on the vendor to make it as secure as possible off the shelf and to deploy updates in a timely manner when flaws are discovered.

There are a few things you can do yourself, though. Jacoby says users should keep devices that do offer firmware and security patches up to date. He also stresses that all default passwords should be changed. Finally, Jacoby recommends exploring more advanced features in some routers that will enable you to restrict access so that only designated devices on your network are allowed to connect to the network or access other resources.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitieshackerssecurityInternet of ThingsIoTExploits / vulnerabilitieskaspersky lab

More about KasperskyNASNest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts