Smart home hacking is easier than you think

Scary stories of hacking Internet of Things devices are emerging, but how realistic is the threat?

Last March, a very satisfied user of the Honeywell Wi-Fi Thermostat left a product review on that shed some light on an unexpected benefit of the smart home -- revenge.

The reviewer wrote that his wife had left him, and then moved her new lover into the home they once shared, which now featured the Honeywell Wi-Fi thermostat. The jilted ex-husband could still control the thermostat through the mobile app installed on his smartphone, so he used it to make the new couple's lives a little less happily ever after:

"Since this past Ohio winter has been so cold I've been messing with the temp while the new love birds are sleeping. Doesn't everyone want to wake up at 7 AM to a 40 degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won't last forever, but I can't help but smile every time I log in and see that it still works. I also can't wait for warmer weather when I can crank the heat up to 80 degrees while the love birds are sleeping. After all, who doesn't want to wake up to an 80 degree home in the middle of June?"

In the past year, more than 8,200 of the 8,490 Amazon users who have read the review deemed it "useful."

Colby Moore, a security research engineer at security firm Synack who has tested smart home products for vulnerabilities, says some of these products still feature the kinds of inherent vulnerabilities similar to the one described in that review. And even some of the devices that are capable of resetting users or credentials fail to make it simple enough for the everyday consumer.

"I would say on leading products, you can reset users, you can reset credentials and things like that," Moore says. "The problem is that some of this stuff starts to get kind of technical, and I think that's where a lot of these vulnerabilities come down, at least currently. The manufacturers don't design them securely, and rely on the end user to secure them."

For example, many customers don't even think to change passwords on smart home devices because they may not even consider them technology products that can be hacked like a PC. That's how more than 73,000 internet-connected cameras were found to be streaming their footage on the web in November. Customers never changed the default passwords, many of which are available online as basic product information, and unwittingly allowed hackers to stream the private footage from cameras that they had initially purchased to feel safer.

Many companies in the Internet of Things and smart home market are taking security seriously, Moore says. Specifically, Moore says Nest products, including the connected thermostat and the Dropcam camera, are very difficult to hack outside of a lab setting.

A lot of the lower-end smart home products, however, make it to the market rife with vulnerabilities. One example Moore cited was the Foscam camera, which is one of the least expensive on the market and which Moore says is "super prevalent."

"There are oftentimes directory traversal vulnerabilities that let you read out kernel memory and dump passwords and things like that," Moore says. "So essentially what that's saying is you can go out there, find someone's camera [on the] internet, and have remote access to it without knowing the credentials."

In another case, Moore says Synack researchers tested a smart home security system, the kind typically for sale at a "do-it-yourself kind of home store," and were able to disable it, enter the home, then re-activate the system again once they left.

"The alarm would never go off, and when the user came back it would appear that nothing happened," Moore says.

Moore says there is potential for hackers to start packaging attacks targeted at smart home products and distributing them on a wide scale. Although he hasn't seen it in the market yet, Moore says it is "very plausible" that attackers could begin selling pre-packaged smart home attacks on the black market, similarly to how some PC malware attacks are sold, enabling even the less-skilled criminal to exploit cybersecurity vulnerabilities in the smart home.

"One thing I have seen or have heard about is people out there scanning their local IP space and finding IP cameras within people's homes, garages, or outside their house, and being able to watch the inhabitants and see when they're home and deduce their pattern of life -- if you know someone's pattern of life, you know when they're not going to be home -- and using these cameras and intel to rob someone's house intelligently," Moore says. "So I certainly can perceive that someone can package up a very nice utility to go out there and look for cameras local to you and use it as a robbery tool."

Another potential distribution method is by altering the products themselves. If attackers can access the devices before they are sold -- by tampering with inventory or even by purchasing a connected camera and returning it to the store with malware pre-loaded onto it -- they will be able to control them as soon as the user installs them.

To test this approach, Moore says Synack researchers purchased several popular IP cameras, altered the hardware, and re-packaged them with a shrink wrapper they purchased on eBay. When they asked their co-workers around the office to distinguish between a brand new product and the one they had altered and re-packaged, they found that no one could see a difference, Moore says.

"So I think that really is a true avenue that an intelligent hacker can use, especially in rich neighborhoods or rich areas where targets might exist," he adds.

Moore says that the higher-end smart home products are being designed with security in mind, and as the market matures, he expects the rest of the products to eventually follow suit. However, security standards for the Internet of Things are still a work in progress, so for the time being, consumers may still find themselves exposed to these vulnerabilities.

"A co-worker put it to me the other day, 'we have the technology for air bags, and we're mandated to put them in our cars,'" Moore says. "We have the technology for good security for these Internet of Things products, but no one is telling anyone or forcing them to put it in. So manufacturers, if they chose to, they could do these things right. The technology is available. They just aren't doing it yet."

Join the CSO newsletter!

Error: Please check your email address.

Tags amazon.comsecurityHoneywell

More about Amazon.comCustomersDropcameBayHoneywellNest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Colin Neagle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place