Mass-produced smart devices, like baby monitors, home security cameras, doorbells and more, were found to be easily hacked by Ben-Gurion University of the Negev (BGU) cyber researchers.
The researchers have been investigating the weaknesses in devices and networks in the smart home field and internet of things (IoT). During their research, the team disassembled and reverse engineered many of the common devices that are on the market and they were able to uncover many security issues in these technologies.
"Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products", says Dr. Yossi Oren, a senior lecturer in BGU's Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU.
"It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand," says Omer Shwartz, a Ph.D. student and member of Dr. Oren's lab. "Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely."
The team found that there are a few ways hackers can take advantage of devices that may be poorly secured. One of the major discoveries found was that similar products under different brands share the same default passwords. Often users won’t change the passwords that are already loaded onto the devices, leaving them vulnerable to hacking. If a hacker can figure out what the default password for one device, they potentially have the passwords for hundreds of other devices. It was found that hackers could also log into an entire Wi-Fi network if they are able to just retrieve the password that is stored in a device and gain network access.
If manufacturers stopped using easy, hard-coded passwords, disabled remote access capabilities and generally make it harder to get information from shared ports, they could protect their customers from hackers. But so far, doing this has not been their priority.
"It seems getting IoT products to market at an attractive price is often more important than securing them properly," says Dr. Oren.
The team came up with a list of seven tips to help smart device users and their information safe from hacking. These rules are:
1. Buy IoT devices only from reputable manufacturers and vendors.
2. Avoid used IoT devices. They could already have malware installed.
3. Research each device online to determine if it has a default password and if so change before installing.
4. Use strong passwords with a minimum of 16 letters. These are hard to crack.
5. Multiple devices shouldn't share the same passwords.
6. Update software regularly which you will only get from reputable manufacturers.
7. Carefully consider the benefits and risks of connecting a device to the internet.
"The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges," says Yael Mathov, who also participated in the research. "We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices."
Make sure you are keeping yourself and your information safe from devices that could be tampered with or potentially weak to hacking. To read that paper on the team’s research, visit the site here.