The New Back to School Math

+
60% off
=
A GREAT DEAL
Buy Now  |  60% off

Categories

Search blog

Subscribe to RSS

0 Shares

Which? investigates smart homes… and isn’t happy with what it finds

UK consumer organisation Which? is well known for its impartial but rigorous evaluations of all manner of products from fridges to cars, computers and toys. Recently it turned its gaze on the smart home and many won’t be surprised by its conclusions.

The company set up a real home and equipped it with smart devices from coffee makers to cameras and then unleashed a team of researchers to see what they  could hack. The hackers also conducted surveillance on the home to gather information that could be used to breach the digital security of the inhabitants.
  • 15 devices were in the home
  • eight were found to have security vulnerabilities
These included:
  • A Virgin Media Super Hub 2 router
  • Home CCTV camera
  • Smart children’s toy
Here are the details provided by Which?
  • The router was only protected by a default password. This vulnerability led to Virgin issuing an alert to 800,000 customers to change their default passwords.
  • Alarmingly the Fredi Megapix CCTV operates over the public internet using a default administrator account without a password.
  • The smart toy, a CloudPets cat, was hacked by exploiting a vulnerability that had been made public several months ago.
 A couple of points to note:
  • The Virgin Media router is not alone in its vulnerability – there are hundreds of routers that are poorly protected with default passwords and admin credentials.
  • The same can be said for the Fredi Megapix CCTV. Vulnerabilities in these and other types of smart devices have been used to create what is known as Internet of Things botnets.  The Mirai botnet is perhaps the most well-known; it was used to bring down websites in the US, including Twitter and Netflix, last year.
  • Vulnerabilities in CloudPets toys have been known about for some time. However, the company appears to have done very little to address the issue.
To illustrate how the CloudPets vulnerability can be exploited the Which? researchers hacked the toy cat to send an audio message to a voice-controlled Amazon Echo device. Echo is a smart speaker developed by Amazon.com and via the vulnerability the researchers ordered cat food from Amazon.
Following the investigation Which? issued a missive to smart device manufacturers by saying: “The industry must take the security of internet-enabled and smart products seriously by incorporating it as a top priority from the outset.”

Unlikely to happen

Smart devices have rapidly moved from tech-industry hype to becoming essential household devices. As evidence, it’s estimated that there will be a staggering 75.4 billion connected devices in the world by 2025, a number that far outweighs the number of traditional computing devices.

It’s unlikely that manufacturers will comply with the Which? request for security priorities. This is not because they are inherently evil, ready to sacrifice the safety of others on the altar of profit, although some might be.

Rather from a manufacturer’s perspective there are all sorts of inhibitors, from a lack of universal security standards to a lack of in-house security expertise, tight profit margins that allow no room for further investment and product redesign that makes products less commercially viable.

What to look out for ahead of purchase

We’re not making excuses for manufacturers, because some do secure their products well, rather we’re just laying the reality on the line. However, you don’t have to take these things on the chin; there are some simple steps you can consider ahead of buying a smart device or two:
  • Check that you can change the default password and admin credentials.
  • Be aware that smart device data collection and sharing can occur via camera and microphone settings and other functions.
  • Find out whether the product gathers data on you and shares it with third parties. If it does, is there an opt-out clause? If not consider alternative products.
  • Can you return the device for a refund if you find the security and/or privacy practices don’t meet your requirements?
  • Check the device’s warranty and support policies and verify that security and software patches are provided for the life of the product
  • Can you modify the device settings, for instance, to stop data being shared?

Tomorrow’s technology, available today

As you can imagine going through this process each time you buy a smart device could complicate things.  And as you add these devices to your home network you might just find your hair standing on end as you consider the security implications.

At one end of your network you’ve got a router gateway that could well be vulnerable to attack (check the CherryBlossom expose) while on the network you might have a couple of desktop PCs, several tablets and even a clutch of smartphones.

Add to this a number of smart devices that potentially are vulnerable to attack and you may understandably take the view that your network security resembles a sieve.

Keeping it safe

In the US, we have just released a product exclusively designed to protect the smart home called Dojo by BullGuard that addresses these issues. It’s a stand-out product that provides levels of protection usually associated with large organisations.

For instance, it deploys artificial intelligence, machine learning and cloud-based security intelligence to throw a comprehensive security blanket around the home. Yet, with the consumer in mind it is extremely easy to use and is managed via a simple ‘Pebble’ alert system and smartphone app.
  • When a threat is detected, Dojo notifies the user via the smartphone app and mitigates the threat immediately. All smart devices whether refrigerators, pacemakers, baby monitors, lighting systems and more are protected
  • The more that Dojo familiarises itself with a home’s smart devices, the smarter it becomes in detecting abnormal activity.
  • It detects and blocks threats without looking at the device or user data -ensuring user data is kept private , rather it focuses on understanding device and service patterns which are continuously analysed by its cloud-based intelligent platform.

So despite the Which? organisation revealing what many people in the industry already know, too many smart devices are frighteningly vulnerable; there is an answer to smart device security.
 
Filed under: IoT

Written by Steve Bell

Steve has a background in IT and business journalism and in the past has written extensively for both the UK national and trade press including The Guardian, Independent-on-Sunday, The Times, The Register, MicroScope and Computer Weekly. He's also worked for most of the world's largest IT companies in a copy and content producing capacity. He has a particular focus on IT security and has been involved in writing about the industry at various levels ranging from magazine launches to producing newsletters. He also runs a small copy writing business called Art of Words. When not bashing away at a keyboard he can sometimes be found in a boxing gym making futile efforts to keep fit or marveling at the works of Sufi poets such as Jalaluddin Rumi and Hafiz of Shiraz.

More articles by Steve Bell

Leave a Reply

 

 

 

Please enter the code

Please enter the captcha code!

Security code

Ranked #1 by industry experts

BullGuard Internet Security Cup

BullGuard
Internet Security

Free download
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.