Off-the-shelf smart devices such as baby monitors and home security cameras, can be easily hacked by criminals, say scientists who found disturbing vulnerabilities of devices and networks used in smart homes and Internet of Things (IoT). The researchers disassembled and reverse engineered many common devices and quickly uncovered serious security issues.
“It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices,” said Yossi Oren, senior lecturer at Ben-Gurion University of the Negev (BGU) in Israel. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” said Oren. “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” said Omer Shwartz, PhD student and member of Oren’s lab.
“Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely,” said Shwartz. The researchers discovered several ways hackers can take advantage of poorly secured devices. They discovered that similar products under different brands share the same common default passwords. Consumers and businesses rarely change device passwords when purchased so they could be operating infected with malicious code for years. They were also able to log-on to entire Wi-Fi networks simply be retrieving the password stored in a device to gain network access.
Oren urged manufacturers to stop using easy, hard-coded passwords, to disable remote access capabilities, and to make it harder to get information from shared ports, like an audio jack which was proven vulnerable in studies. “It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he said.
“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges,” said Yael Mathov, who also participated in the research. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices,” he said.