Connected homes can be easy targets for hackers, says cybersecurity firm

Security-as-a-Service provider Synack tested more than a dozen connected-home devices and found that nearly all could be breached easily.

Nearly all the fancy hardware in your connected home is inherently flawed when it comes to security. That's one of the painful takeaways from a new report by Synack, a subscription Security-as-as-Service (SaaS) startup in Menlo Park, California. The company's analysis will be a rude awakening for anyone who thinks they have a bullet-proof home-security system, whether it's a DIY project or a pricey custom job.

We became aware of Synack's study on Wednesday via this Gigaom story, but we covered the relative insecurity of routers and IP security cameras nearly a year ago, and that of network-attached storage last August. Unfortunately, not much has changed since then.

To drive that point home, Synack tested 16 products in four categories: Cameras, thermostats, smoke/CO detectors, and home-automation controllers. Synack researcher Colby Moore, who put the report together, said he was able to root almost every device in less than 20 minutes. Most of the gadgets suffered from weak password policies; but collectively, there's a long list of issues, including open ports, built-in backdoors, and lack of encryption.

Cameras were the worst offenders, according to Synack's report. Of the five tested, each suffered from multiple security issues. Two--D-Link's DCS-2132L--and Foscam's FI9826W--were dinged for obfuscating rather than securing data in transit. Obfuscation involves masking data in any number of ways, like scrambling letters.Unlike encryption, however, obfuscated data doesn't require a security key to decode--prying eyes need only to figure out how the data was cloaked.

Think about that for a moment. There's an uncomfortable level of creepiness that comes from knowing a hacker could be using your cameras against you, whether it's to map out the times you come and go during the week, or to create a blueprint of possible entry and exit points by looking through your baby monitor. Ideally, Moore recommends all communication use bidirectional encryption.

The Control4 HC-250 system controller, sold only to custom installers, was knocked for a "history of unpatched security issues" and a "built-in unauthenticated remote management feature" (in other words, an insecure backdoor that a hacker could exploit).

It's not just about you

What's described above is a pretty sophisticated (and personal) level of attack that would require plenty of planning and a high level of risk, but it's not the only scenario. In this November blog post on hacking the home, Synack describes how a hacker can rather easily exploit seemingly trivial vulnerabilities and infiltrate thousands of IoT devices with less than a day's effort.

There's strength in numbers for whatever nefarious purposes the hacker might be cooking up, or he could simply dump the data online, revealing thousands of usernames and passwords. It's a headline that's played out multiple times each year, and as the IoT market grows, it gets closer to becoming a viable target for this kind of data harvesting. This is especially true if these devices don't start implementing better security measures, such as requiring stronger passwords.

"We've seen the trend this year, the connected home is blowing up," Moore said in an email. "At CES, nearly every device was networked. At this rate, it's only a matter of time until there is a major widespread breach or hack of personal data involving one or more IoT devices. Consumers are already hesitant but willing to take a leap of faith. So what happens when this breach occurs? It's about to make worldwide headlines and to be taken out of context. One could imagine that the IoT industry's sales and trust will be significantly impacted."

The long game: Accessing your router

Some of the concerns in Synack's are somewhat bit overblown. One device was dinged for being susceptible to a supply-chain attack, where somewhere between the assembly line and a retail shelf, a ne'er do well could intercept and physically tamper with the device, installing malware or altering the firmware before it reaches the end user.

There's also bit in the report about Wi-Fi jamming; but when we asked Moore if that's truly a concern for seemingly benign devices like smart thermostats, he said for those types of products, worst case scenario is "temporary loss of remote functionality."

At the same time, security shortfalls in these devices still pose a risk. Let's say you're not concerned if someone hacks into your thermostat and changes the temperature. It's annoying, maybe even costly if you're away on vacation when it happens and aren't monitoring things, but you'll survive. The smart thermostat, however, isn't the real target. It's merely a stepping stone to your router.

In a follow-up blog post, Synack lays out a scenario where a hacker could upload custom firmware into a compromised consumer device, effectively turning it into a remote login platform. Now the bad guy can penetrate your home network, where it's easier to gain control of your router. Once he does that, you're in for a very bad day because he can monitor your online behavior and collect personal information, such as bank logins and email communications.

What can you do?

We asked Moore if consumers should avoid today's crop of connected-home appliances and home-automation controllers. For the most part, he said, such an extreme measure isn't necessary.

"It really depends on the consumer and their concerns. In general, I would say, no, go out there and get the newest, latest, greatest tech," Moore said. "Just be aware of the security implications and hold manufacturers to high standards. For less tech-savvy consumers that are concerned with security, purchase well-reviewed and -secured devices with a reputation for ease of use (such as Nest). There is always a risk in adopting new technology, but the benefits often outweigh it."

That doesn't mean you should be lax about security. Do the opposite: use a hard-to-guess password whether your device requires one or not. For hackers, it boils down to a numbers game; they're not after you personally, they're just looking to breach as many devices as they can. Don't let your home--connected or not--be an easy target.

Join the CSO newsletter!

Error: Please check your email address.

Tags networking hardwareSynackConnected HomesNetworkingsecurityInternet of Thingsroutersinternet

More about DCSNest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Lilly

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts