How secure are your smart home devices?
Many of us are filling our houses with smart home gadgets, but are we signing away our safety?
Many of us are buying smart home devices, but are we signing away our safety? We asked security expert Ken Munro about who you can trust, who might be after your data, and why people anybody would want to hack your smart home.
What risks come with smart gadgets?
The number one risk is invasion of privacy. If you’ve got smart cameras, or any device that’s listening to you, there’s a chance those can be hijacked and you can get spied on. We [my company, Pen Test Partners] found vulnerabilities in in-house security cameras, baby monitors and smart home assistants.
We looked at an interactive kids’ doll that has a microphone and speaker, and connects to your phone via Bluetooth. When you connect to the doll there is no PIN, which means that anyone within Bluetooth range, 30, 40, 50 metres away, can connect. That means that someone outside on the street or in the next house can listen to the microphone and spy on your kids, and can talk to them as well.
We’ve also documented cases of people being stalked through smart tech: there was a case with a video doorbell last year where an ex-partner was monitoring someone’s every movement. One of the challenges with that is that there’s no way to know it’s happening.
Read more about smart homes:
Things get really freaky when your home gets hijacked. We showed, a few years ago, the very first case of ransomware being loaded onto a smart thermostat.
It’s all about a loss of control. You lost control of your heating system, so what? But what if that was your car? What if that was a life support system? That’s where things get scary.
What if it’s your smart door locks and you can’t get in or out of your own house? One smart lock vendor’s systems crashed, and people couldn’t get into their houses – and that wasn’t even hacking, it just crashed.
In other cases, a combination of devices can make your home vulnerable. Amazon Echo, for example, is pretty secure. But other things around your home can allow people to take control through the Echo.
Google Chromecast has a bug in it that they’re now fixing, four years after it was found, that allows someone to drive past your house, connect to your Chromecast with a little bit of clever hacking, and cast a YouTube video that says things to your Echo, like ‘Alexa, turn off the lights’.
More like this
What’s the point of these attacks?
Sometimes people just do it because they can. You’re just a system on the internet, and someone thinks it’d be fun to mess around with your home.
But there are also cases where people might be trying to achieve more. We speculate that if you attack lots of people’s thermostats concurrently you can cause power spikes and knock over the electricity grid.
Are smart gadgets regulated in any way?
There’s nothing yet, but the EU is making great leaps forward. In the UK we’ve got the promise of regulations from the Department of Culture, Media and Sport. In California, regulation comes into force in 2020.
The problems we keep finding are basic things, so we need just basic controls around not having back doors that hackers can exploit, keeping software up to date so it doesn’t become vulnerable, and helping consumers secure themselves – not letting people set silly passwords, for example. We need consumer efforts, manufacturer efforts and regulator efforts. We need a bit of everything.
What should we look for when we’re buying smart home tech?
The better-known brands are actually very secure – Amazon and Google by and large have their security sorted. Big brand names have a huge incentive to get it right to protect their reputation.
The problem comes from the new entrants to market, the start-ups. That’s when security gets a bit more random. We’ve seen some excellent security in start-ups and new entrants, but we’ve seen some horrific security, and it’s difficult for the consumer to know which product is going to be good and which product is going to be bad.
How can we protect ourselves?
First of all, when buying a product, ask yourself if you need it. Are you willing to gamble your privacy for the sake of being about to turn something off and on remotely? There are some fantastic smart products out there that, for example, allow you to be more efficient with your energy.
So if you decide you need it, make sure you set up a strong password for it, and don’t use the one you use somewhere else. Write it down somewhere privately, or use a tool called a password manager that does it all for you.
Lastly, keep everything up to date. When updates come out for your computer, your phone, or your apps, they’re there to fix security flaws, so if you don’t apply them, your product is becoming more vulnerable.
Ken works at Pen Test Partners, a firm that researches and tests the security of ‘smart’ devices.
Want to get smart and stay secure? BBC Science Focus editorial assistant Helen Glenny picks out a few of the best smart gadgets to help you enjoy the benefits of a connected home without risking your safety.
Amazon has “pretty much got it nailed” when it comes to security, according to security expert Ken Munro (see interview above). Moreover, a big company like Amazon has a reputation on the line, so you’re more likely to get your privacy concerns addressed than if you went with a new start-up. They’ve even been asked to hand over Alexa recordings to a judge in a murder case, but won’t do so “without a valid and binding legal demand properly served on us.” Security-wise, they’ve got your back.
PHILIPS AVENT SCD630/26 VIDEO BABY MONITOR
Baby monitors have been hacked by criminals, allowing footage from the devices to be streamed online. This one randomly changes the frequency the monitor is using to communicate, making it harder to hack.
Touted as the world’s most secure smartphone, the Katim is named after the Arabic word for silence. You can flick a switch to immediately turn on ‘shield mode’, which physically disconnects power from all recording services, like your phone’s microphone and cameras.
NEST LEARNING THERMOSTAT 3RD GEN
Nest was acquired by Google in 2014. This means it now falls under Google’s Vulnerability Reward Program, where researchers get money for finding flaws in their services. All third-party devices that work with Nest are subject to a rigorous certification process.
ASUS RT-AC88U WIRELESS ROUTER
This is one the most secure wireless routers on the market. It has no default passwords (an easy target for hackers), it automatically detects vulnerabilities in your network, lets you set up parental controls, and identifies malicious sites before you’ve reached them.
- This article was first published on BBC Science Focus in March 2019 – subscribe here