Homes today are increasingly becoming connected as more and more people use devices aimed specifically at making our lives easier. However, while connected devices can make daily chores more convenient, it could also be a doorway for hackers.
A few months ago, a team of researchers set out to find out how easy it would be to hack Internet of Things devices in the home, from doorbells to baby monitors to security cameras.
The results were a stark wake-up call: One of those involved in the study said it was “frightening” how easy it would be for someone with ill-intent to take over devices.
It took less than 30 minutes to get into some of the off-the-shelf devices, with a simple Google search for default passwords enough for the researchers to gain access.
Similarly, a host of ingenious attacks have been devised for, to give one example, Amazon Echo, Amazon’s brand of smart speakers. Whether it is turning early versions of the Echo into a bugging device by attaching an SD card reader and then manipulating it for various malign reasons (admittedly not a straightforward hack) through to asking the Alexa personal assistant to unlock the front door, there are multiple potential vulnerabilities.
Indeed, as these few examples show, the consequences of a hack could be serious indeed, from letting thieves enter a home, to allowing voyeurs to spy on residents, to causing a thermostat to make a house overheat and possibly catch fire. Also, accounts linked to devices could be hacked.
The subject throws up myriad issues: how seriously device manufacturers are taking security; what action governments should take to protect consumers; whether governments are even capable of regulating the sector; whether consumers are ultimately responsible for protecting themselves.
Few people have looked into the the security of connected devices in the home in greater depth than Dr Abdullahi Arabo, a senior lecturer in computer networks and mobile technology at the University of the West of England Bristol in the United Kingdom. As well as writing academic papers on the subject, he has also developed security frameworks for the private sector.
In his view, many companies offering connected devices are not investing in security in the way they should be.
“They don’t care about cybersecurity. They only care about profit – that’s my concern every time a new device appears,” he says.
“It’s the last thing on their agenda and they don’t want to spend money on it. The only concern is to have the devices ready and sell them and make money and that’s it. They have little or no budget for security.”
Such concerns are shared by Professor Miguel Rio, a professor of computer networks in the Department of Electrical Engineering at University College London.
“There are lots of products on the market without the proper security framework or being certified. These are dangerous,” he says.
Although some manufacturers, such as Amazon, are seen as more reliable in security terms, the multiple hacks demonstrated for Amazon Echo show that none is immune. And in any case, not everyone can afford the big-name brands with a better reputation. Could stricter regulation ensure that a good minimum security level is applied across the board?
The situation is “moving much faster than governments can keep up with,” says Rio, so developing a robust regulatory regime is no easy task. Drawing parallels with other types of devices, Rio expects, however, that in time the IoT landscape will settle, making regulation easier.
“Smartphones, they’ve been pretty stable for the last five years. We know how the ecosystem works. Once the main players get the main ecosystems stable for their homes, there’s a possibility for telecoms regulators to get into rolling out regulations,” he said.
Ollie Whitehouse, global chief technology officer of the UK-based information assurance company NCC Group, which has more than 35 offices globally, including one in Dubai, said improvements at the design stage are already being seen.
“Embedding security within the manufacturing process is becoming more common within the industry, with many adjusting defences to keep devices secure, but there is a long way to go,” he says.
Whitehouse calls for an ongoing dialogue between manufacturers, regulators and consumers when it comes to expectations, and between manufacturers and the security industry when it comes to best practice.
Regulating devices in the home, suggests Rio, is more problematic than doing so for IoT products used in other arenas. So perhaps the onus will remain on consumers to ensure their home devices – and remain safe.
“There are other things like transport, cities, workplaces – these are more easy to regulate because they’re in a public space,” says Rio.
“If you want to put sensors on trains or planes, there are regulations looking at that. The home is your castle, so it’s much more up to you. These are very challenging times for devices, and security is the main thing.”
What consumers can do
When it comes to the security of Internet of Things (IoT) devices in the home, there are numerous measures consumers can take.
Ollie Whitehouse, global chief technology officer of NCC Group, says there are “simple habits” that should not be forgotten.
Echoing the comments of other specialists, he advises consumers to buy devices from reputable manufacturers and vendors.
“Consumers can be swayed by cheaper models, but it’s most likely that these won’t have the right level of security needed to keep your personal information safe,” he says.
“A number of very large high-profile vendors are able to invest in security due to their understanding and ability. However, for the most part, vendors are not.”
Brands often considered to be more reliable in security terms include Google, Amazon and Apple.
“Apple, for example, is very tough. All the information goes through Apple, so the devices are not freely connected to the outside world. That gives it, I wouldn’t say guarantees, but [it makes it] much more robust,” says Professor Miguel Rio, a professor of computer networks in the Department of Electrical Engineering at University College London.
“As consumers, in my opinion we should be trying to pay a bit more for our devices – not go to eBay or Amazon and buy a cheap device. That can be problematic.”
Whitehouse says businesses and brands should encourage customers to practice good security hygiene by regularly updating software and passwords, having antivirus software in place and being vigilant about how they are using devices. Simple steps, but often forgotten.
Also, frequently neglected is the device manual, but Whitehouse advises buyers to ensure that they read it thoroughly to understand the security configurations embedded in the device.
This can ensure that basic security measures, such as changing default passwords, are not forgotten. It will also highlight additional controls that are not enabled by default, but which improve security and privacy if used.
“All of this then needs to be supported by a secure perimeter to the home network – your router. This is incredibly important, because if a home router is compromised, all of the devices to this network will be at the mercy of the hacker,” says Whitehouse.
In terms of a WiFi connection, Whitehouse advises only using WiFi Protected Access II (WPA2) and choosing a robust password.