Cybersecurity researchers at the Ben-Gurion University of the Negev say they have found serious security issues in such off-the-shelf devices as baby monitors, home security and web cameras, doorbells, and thermostats. These were easily hacked into by the researchers as part of their ongoing study into detecting the vulnerabilities of the Internet of Things, internet-connected home devices and networks.
As we arm ourselves with smart doorbells, personal assistants, smartphones and ever-so-clever baby monitors, we are also increasingly exposing ourselves to the chances of our devices being taken over by criminal minded hackers. Amazon’s personal assistant Alexa creeped out owners last week when it emitted unprompted laughter. This spurred the e-commerce giant to fix the glitch, which was luckily not a hack. But the episode can be seen as a warning of things that could go wrong, as we become more and more connected.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” said Dr. Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
“It only took 30 minutes to find passwords for most of the devices and some of them were found merely through a Google search of the brand,” said Omer Shwartz, a PhD student and member of Oren’s lab, in a statement released on Tuesday. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
The BGU researchers uncovered several ways hackers can take advantage of poorly secured devices. They discovered that similar products under different brands share the same common default passwords. Consumers and businesses rarely change device passwords after purchasing them, so they could be operating devices that are infected with malicious code for years after, the researchers said.
The researchers were also able to log on to entire WiFi networks simply by retrieving the password stored in a device to gain network access, they said.
To address the problem, manufacturers must stop using passwords that can easily be bypassed, disable remote access capabilities, and make it harder to get information from shared ports, they said.
“It seems getting IoT products to market at an attractive price is often more important than securing them properly,” said Shwartz.
Research firm Gartner Inc. says there are some 8.4 billion connected devices used globally and they are forecast to reach 20.4 billion devices by 2020.
“IoT devices are made to last” for years, said Schwartz, as the researchers presented their findings to journalists in their lab last week. “So there is a problem.”
To help increase safety, the researchers recommended a number of steps: avoid using IoT devices at all, as they could have malware installed, but if you use them, buy only from reputable manufacturers and vendors; look up each device online to determine if it has a default password and if so, change it before installing; use strong passwords with a minimum of 16 letters, as these are hard to crack; don’t share a password among multiple devices; update the software regularly.
The researchers advised very carefully considering the benefits and risks of connecting a device to the internet.
“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges,” said Yael Mathov, a student who conducted the research. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”