UK consumer organisation Which? is well known for its impartial but rigorous evaluations of all manner of products from fridges to cars, computers and toys. Recently it turned its gaze on the smart home and many won’t be surprised by its conclusions.
The company set up a real home and equipped it with smart devices from coffee makers to cameras and then unleashed a team of researchers to see what they could hack. The hackers also conducted surveillance on the home to gather information that could be used to breach the digital security of the inhabitants.
- 15 devices were in the home
- eight were found to have security vulnerabilities
- A Virgin Media Super Hub 2 router
- Home CCTV camera
- Smart children’s toy
Here are the details provided by Which?
- The router was only protected by a default password. This vulnerability led to Virgin issuing an alert to 800,000 customers to change their default passwords.
- Alarmingly the Fredi Megapix CCTV operates over the public internet using a default administrator account without a password.
- The smart toy, a CloudPets cat, was hacked by exploiting a vulnerability that had been made public several months ago.
A couple of points to note:
- The Virgin Media router is not alone in its vulnerability – there are hundreds of routers that are poorly protected with default passwords and admin credentials.
- The same can be said for the Fredi Megapix CCTV. Vulnerabilities in these and other types of smart devices have been used to create what is known as Internet of Things botnets. The Mirai botnet is perhaps the most well-known; it was used to bring down websites in the US, including Twitter and Netflix, last year.
- Vulnerabilities in CloudPets toys have been known about for some time. However, the company appears to have done very little to address the issue.
To illustrate how the CloudPets vulnerability can be exploited the Which? researchers hacked the toy cat to send an audio message to a voice-controlled Amazon Echo device. Echo is a smart speaker developed by Amazon.com and via the vulnerability the researchers ordered cat food from Amazon.
Following the investigation Which? issued a missive to smart device manufacturers by saying: “The industry must take the security of internet-enabled and smart products seriously by incorporating it as a top priority from the outset.”
Unlikely to happen
Smart devices have rapidly moved from tech-industry hype to becoming essential household devices. As evidence, it’s estimated that there will be a staggering 75.4 billion connected devices in the world by 2025, a number that far outweighs the number of traditional computing devices.
It’s unlikely that manufacturers will comply with the Which? request for security priorities. This is not because they are inherently evil, ready to sacrifice the safety of others on the altar of profit, although some might be.
Rather from a manufacturer’s perspective there are all sorts of inhibitors, from a lack of universal security standards to a lack of in-house security expertise, tight profit margins that allow no room for further investment and product redesign that makes products less commercially viable.
What to look out for ahead of purchase
We’re not making excuses for manufacturers, because some do secure their products well, rather we’re just laying the reality on the line. However, you don’t have to take these things on the chin; there are some simple steps you can consider ahead of buying a smart device or two:
- Check that you can change the default password and admin credentials.
- Be aware that smart device data collection and sharing can occur via camera and microphone settings and other functions.
- Find out whether the product gathers data on you and shares it with third parties. If it does, is there an opt-out clause? If not consider alternative products.
- Can you return the device for a refund if you find the security and/or privacy practices don’t meet your requirements?
- Check the device’s warranty and support policies and verify that security and software patches are provided for the life of the product
- Can you modify the device settings, for instance, to stop data being shared?
Tomorrow’s technology, available today
As you can imagine going through this process each time you buy a smart device could complicate things. And as you add these devices to your home network you might just find your hair standing on end as you consider the security implications.
At one end of your network you’ve got a router gateway that could well be vulnerable to attack (check the CherryBlossom expose
) while on the network you might have a couple of desktop PCs, several tablets and even a clutch of smartphones.
Add to this a number of smart devices that potentially are vulnerable to attack and you may understandably take the view that your network security resembles a sieve.
Keeping it safe
In the US, we have just released a product exclusively designed to protect the smart home called Dojo by BullGuard
that addresses these issues. It’s a stand-out product that provides levels of protection usually associated with large organisations.
For instance, it deploys artificial intelligence, machine learning and cloud-based security intelligence to throw a comprehensive security blanket around the home. Yet, with the consumer in mind it is extremely easy to use and is managed via a simple ‘Pebble’ alert system and smartphone app.
- When a threat is detected, Dojo notifies the user via the smartphone app and mitigates the threat immediately. All smart devices whether refrigerators, pacemakers, baby monitors, lighting systems and more are protected
- The more that Dojo familiarises itself with a home’s smart devices, the smarter it becomes in detecting abnormal activity.
- It detects and blocks threats without looking at the device or user data -ensuring user data is kept private , rather it focuses on understanding device and service patterns which are continuously analysed by its cloud-based intelligent platform.
So despite the Which? organisation revealing what many people in the industry already know, too many smart devices are frighteningly vulnerable; there is an answer to smart device security.