5 steps to keep your smart home from being hacked

Security researchers needed just 5 to 20 minutes to hack most smart-home devices. Learn how to keep real hackers at bay.

Buying a used Nest could be a bad idea. Criminals could install custom firmware that enables them to compromise a host of other devices on your home network

Buying a used Nest could be a bad idea. Criminals could install custom firmware that enables them to compromise a host of other devices on your home network

Consumers who outfit their homes with home automation devices without considering security may be inviting hackers and thieves inside.

Repeatedly, studies have revealed that devices designed to automate the home have serious vulnerabilities. Many devices have weak password policies and do not protect against man-in-the-middle attacks, according to an HP survey of 10 off-the-shelf home security systems. Others do not prevent access to the device's debugging interface, which could allow easy hacking of the device, according to an April study by code-security firm Veracode. And, if an attacker is able to gain access to the device, almost all devices could be easily compromised and turned into a Trojan Horse, according to a study by security firm Synack. In fact, it only took between 5 and 20 minutes to find a way to compromise each device, once the researchers unpacked the hardware.

"These companies are really pushing to get a product to market to really compete in this Internet of things boom, but they don't have a security guy on their team, so there is a lot of small stuff being overlooked," says Colby Moore, a security research analyst for Synack. "The majority of companies are ignoring the basics."

By the end of the year, about 2.9 billion consumer devices will be connected to the Internet, according to market researcher Gartner. While the Apple Watch may be the best-known device among the Internet of Things menagerie, many of the "things" that you will connect in the future will be part of your home. Unfortunately, the rush to deliver home automation capabilities to users has resulted in poorly secured systems creating additional avenues of attack for online miscreants.

"It's hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn't mean cybersecurity should be sacrificed in the process," Brandon Creighton, Veracode's security research architect, said in a statement.

Security firm Synack, for example, tested cameras, thermostats, smoke detectors, and home-automation controllers, looking for security vulnerabilities. The company considered four scenarios that could impact consumers: An attacker breaks in and has two minutes with the home's devices, a thief steals a person's mobile phone, an eavesdropper in a cafe monitors the victim's Internet sessions, and a more advanced attacker manages to modify a home-automation device before a victim's purchases it.

Each device had security shortcomings. Consumers' desire to control their home from the smartphones, for example, means that losing the device can have some significant consequences for home security. In addition, so many products do not use encryption technology.

"I can't say that I was shocked, but it was pretty shocking," Moore says.

For those consumers embarking on a journey into home automation, here are some mostly simple steps to protecting the devices as much as possible.

Lock down the router

Routers are the digital doorway to the home, and a poorly-secured router can allow an online attacker easy access to all the home automation devices in your network. In May, for example, security firm Incapsula found that a group of attackers had turned routers with default passwords into a botnet that they then used to take down Web sites using a denial-of-service attack.

Users should invest in a router with a good security track record, make sure that the default admin password has been changed, and that it's running the most current firmware.

Prevent tampering with devices

Getting two minutes with devices in the home did not give the attacker enough of a window to modify the devices, according to security firm Synack's study. Devices with a USB update mechanism, however, were vulnerable to quick compromise.

Home users should put devices in places where untrusted people cannot easily access them, with particular emphasis on devices with a management port.

Go with a cloud service

Cloud services designed to help a consumer manage home-automation devices, such as Vivint, ADT, or a similar service provider, typically cost money and can open up privacy and security issues if not properly secured. Yet, for most situations, the service provider does a better job securing the service than a home user can. If you do not use a cloud service, you will be responsible for checking the security of the systems yourself.

So consumers should shell out the cash to make their home-automation more convenient and more secure at the same time. However, users do need to pick a complex password and should also ask about two-factor authentication, which adds another layer of security to accessing the account.

Update the devices

Many of the developers creating the software for home-automation products are relative novices when it comes to security. David Jacoby, a security analyst with Kaspersky Lab, attempted to hack his home and found a number of simple vulnerabilities in his home storage product that gave him a beachhead into the network.

"The developers have the excuse that they are not security people," he says. "But we need to get the vendors to patch the vulnerabilities that they learn about."

Because so much security functionality needs to be improved, applying updates is a critical step to insuring home-automation devices remain secure from the simplest attacks, he said.

Go with a name brand

A company that is just dabbling in home automation will not take the security of their products seriously. Consumer should focus on companies that have committed to their products and the security of those products, says Synack's Moore.

"You want someone who has been around, someone with a reputation," he said. "At least they will stand behind their product and push out updates."

The conclusion of Synack's testing resulted in a positive recommendation of Nest thermostats and home automation equipment. Of course, the study was sponsored by Nest, now part of Google. Hive, a home-automation integrator, also did well in Synack's tests, according to a presentation on the study. SmartThings, which grew out of a 2012 Kickstarter project, garnered high the best performance in Veracode's study.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPhome automationSynacksecurityInternet of ThingsVeracode

More about AppleGartnerGoogleHPKasperskyNest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place