Smart home devices are being widely accepted and their numbers are increasing at an alarming rate. With this wide acceptance, security researchers are constantly finding vulnerabilities in the products. A new report from a team at Ben-Gurion University has come to light which reveals that these devices are very insecure and can be compromised in less than 30 minutes.
“It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices,” says Yossi Oren, one of the researchers on the latest report. The team examined 15 such devices, including baby monitors, home security cameras, doorbells, and thermostats. They developed a wide range of ways hackers can access these devices and the easiest method is to simply track down the default factory-set passwords.
“It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” says Omer Shwartz, another researcher on the project. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
Changing the password does not take a lot of time but several studies have found that an alarming number of people never bother changing the default passwords. A security research company found that default values were used in 15% of the devices it came across. A survey of over 1,000 remote IT workers in the US and UK discovered that 46 % of industrial professionals were still using default passwords on their wireless routers.
“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” says Oren.
The researchers suggest that manufacturers secure these devices better and individuals can also do better to protect their home devices. One thing they suggest is to avoid using already used devices which can already be planted with malware before making their way to you. They also ask not to connect devices to the internet unless absolutely necessary. Perhaps the most important is to use a strong password and not using the same passwords over different devices.
“We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices,” says Yael Mathov, another researcher on the project.
Next time you buy smart home devices, you should keep these things in mind.