Almost a quarter (23%) of Britons have at least one smart home device (YouGov), and global revenue for the sector is predicted to hit $9bn this year (Statista). It’s tempting to think that a password or two might be all that’s needed to lock up our information, but with the average house home to an array of smart devices like security cameras, smart locks, virtual assistants and more, how secure and private are you really?
Cyber criminals don’t just limit themselves to huge conglomerates and corporate entities. They’re always watching out for any opportunity to cash in on our personal goldmines – be it financial information, identity theft, cyber extortion or cryptojacking. If you don’t secure your smart devices, you’re leaving yourself open to opportunists, and the real-life implications can be huge. Here’s what hackers can do, how they do it, and how to protect against it.
Smart devices explained
Smart home devices (also known as Internet of Things Devices) are quite simply, something that ‘connects’ into your home network (often via WiFi). There are lots of examples of smart devices on the market, from smart doorbells and security cameras you might have dotted around your property (think the Amazon Ring), to AI-supported smart speakers like the Amazon Echo, Google Nest or Apple HomePod. And it’s not just limited to the adults anymore: kids’ toys, baby monitors, media players and more could be at risk of attack. Even devices like smart bulbs, plugs and switches could be a target.
Whatever the case, there are many well-documented examples of hacks carried out on a range of smart devices – both in the home, and beyond. These can be carried out by anyone, any time, anywhere. And that’s not the worst of it. Many people buy smart device ‘copycats’ from smaller companies to save on cash, without realising that these might not be subject to the same regulations or built to the same standards as those from bigger corporations. Ultimately, this can mean they’re less secure and leave them more open to attack, with concerns like insecure communication, or local malicious actors capturing your data – which is a particular concern for larger businesses with multiple devices connected over a network.
How hackers get your information
Like anyone, hackers can be good or bad, using their skills for the right or wrong reasons. But how do they actually find you in the first place?
Bad actors typically use things like Google dorking (leveraging search engines) to sweep the internet for well-known camera services or brands that have known vulnerabilities, a history of breaches, or are known to be ‘open’, or may use websites insecam.org to uncover live, insecure cameras. Many devices also have weak local security, and assume that if you’re on the same network, you can be trusted.
Hackers can also try other means, like accessing your Google account to view your Nest cameras, or attacking a small company’s website to compromise their devices.
Whatever they use and however they gain access, the most frightening bit is what they can do once they’re in.
The risks of unsecured devices
Even the most innocuous of smart devices – like a baby monitor – can be used to glean personal information about you. Here are some ways hackers can use your devices against you:
Sharing your WiFi connection or connected devices with others
Accessing personal information through audio or visual inputs – like overhearing a conversation about your bank or spotting a statement lying around your house
Using smart locks or security cameras to gain physical entry to your home – potentially seeing when you’re out, then unlocking your front door
Stealing information to use against you, or for fraudulent purposes
Using a hacked device to get a ‘’computer’’ in your network, which can then be used to attack, control or infect other devices without your knowledge (botnets)
Security fixes, tricks and troubleshooting
Boosting your cyber security should be as important as locking your front door every night. And, thankfully, there’s lots you can do to stay protected. Here are some of our suggestions:
‘Map out’ your attack surface: List the smart devices you have in your home. This can help give you an idea of what’s putting you at risk.
Consider your connection: When choosing a smart device, you could consider connecting it to local services first (such as a mobile app on the same network, or Bluetooth) instead of your internet. These might be less convenient to use, but they have a smaller attack surface.
Set a strong WiFi password: Most routers come with a strong password already set, but you could consider changing it for extra security. We’ve covered ideas for setting a strong password in a previous blog. It goes without saying that you shouldn’t share passwords with anyone you don’t trust, and if you’ve shared a password previously, consider if that person still needs access.
Protect cloud services and devices: Use strong, unique passwords for these. Cloud services can include things like Google and Amazon, as well as CCTV, while any connected device should have a password set if possible, especially for administrator access.
Segregate your networks: To be super secure, create separate networks for visitors and your household, with controls around what devices are a) visible and b) accessible. Many routers offer a guest network which you can enable by logging into the router’s web interface on your browser. You’ll then be able to name the guest network, set a password and even control the speed of the connection. Professional routers often have more controls for segregation, however their use in the home is rare, as most households will use the router provided by their internet service provider.
Don’t forget the kids: Kids are more tech-savvy than ever, but thankfully, there are lots of safeguards and fixes you can try for smart toys. Some of these might already be covered in individual instruction and set-up manuals, but to be extra secure, you could set some simple controls in place, such as locking down or restricting internet access on toys which use a browser.
Always buy from reputable companies: Being in the public eye, and often with large investment behind them and a reputation to uphold, companies like Apple, Amazon and Google are generally more secure than lesser-known names. All this goes beyond the physical device itself, and into the way the associated service is run, because many smart devices (like security cameras) are linked to a cloud network. You need to be able to trust that whoever’s running your service is using proper security controls (like firewalls) and storing or processing your information safely.
Check your devices’ configurations: For example, ensure they can only be detected on your own network, that unused features are turned off and that any accounts you have connected to them have unique passwords. Again, instruction and set-up manuals can be of help here.
Follow expert advice: We often report on threats and vulnerabilities that our Swarm has uncovered, like the zero-day vulnerability in the Java Spring Framework, which was found to be used in many smart devices, from gateways to routers.
Patching: Ensure devices are patched. Many devices support over-the-air updates, but these may not always be turned on by default.
The biggest takeaway is to really think about the implications of bringing devices into the home or workplace. While they aren’t inherently bad, they could be used against you – and not just by hackers looking for a back door into your network, but by potentially insecure companies, malicious internal actors, and services that might be processing your information.
Trust CovertSwarm for relentless cyber security
We’re outpacing cyber threats at CovertSwarm. We think, act and adapt just like an attacker to expose weaknesses and keep your information safe. We work relentlessly to crack your systems and devices, helping to find – and fix – hidden vulnerabilities before the hackers do. It’s the most effective way to protect yourself in the cyber landscape, because in the online world, defence really is your best offence.
For help, advice or to contact us, reach out to the Swarm today.
Exploiting CVE-2023-5044 and CVE-2023-5043 to overtake a Kubernetes Cluster
Delve into the Golden Ticket Attack in Active Directory: a key APT method. Discover its workings, countermeasures, and detection to protect your network.
Uncloaking Radio Frequency Identification (RFID)
Demystify RFID with insights on components, tag types, modulation, and use cases. A concise guide to the intricate world of RFID.
A journey into Badge Life
Explore CovertSwarm’s Badge Life journey from Defcon 30 chaos to Defcon 31 triumphs. Join the hardware hacking adventure in this article!