Smart homes at risk of hacking attacks
UK households now have more than 10 different connected devices, on average, from televisions to thermostats. While these products can bring huge benefits and convenience for consumers, as homes become more ‘smart’ they can become more of a potential target for hackers.
Which? set up a fake home and filled it with connected products bought from online marketplaces, ranging from smart TVs, printers and wireless security cameras, to more unusual gadgets such as Wi-Fi kettles. Researchers then connected them to the internet, exposing them to online threats and malware created by real cybercriminals.
Working with cyber security specialists NCC Group and the Global Cyber Alliance, Which? looked for unique scanning attempts – a technique used to locate online devices that exists in a legal grey area and is a potential gateway used by hackers – and hacking attempts, which are a clear breach of the Computer Misuse Act.
The research team saw 1,017 unique scans or hacking attempts coming from all around the world in just the first week of testing, with at least 66 of these being for malicious purposes.
That figure rose to 12,807 unique scans or attack attempts against the home devices in the busiest week, including 2,435 specific attempts to maliciously log into the devices with a weak default username and password.
Most of the time, the basic security protections in the devices were able to block the attacks, but that was not always the case.
The most targeted devices in the testing were an Epson printer, an ieGeek branded wireless camera and a Yale smart home security system. All three devices were purchased from Amazon.
The ieGeek camera was easily hacked and compromised, allowing a genuine suspected hacker to access the video feed and spy on the testers.
All real attacks against the printer and security system failed because they had reasonably strong default passwords in place. But this doesn’t mean they are unhackable, just that they have basic protections against the most common bulk attacks that plague smart homes.
The most common reason to hack smart devices is to create botnets such as Mirai, which probe for new unsecure devices, such as routers, wireless cameras and connected printers coming online before forcing their way past weak default passwords. From there, the parasite can be used as a powerful hacking tool, such as in 2016 when it knocked Twitter, Amazon and other leading websites temporarily offline.
Based on Which?’s experiment, nearly all (97%) attacks against smart devices are to add them into the sprawling Mirai botnet. The hacking traffic came from around the world, but the vast majority appeared to originate from the US, India, Russia, the Netherlands and China.
Which? found spikes of activity during the 9am to 6pm period of the typical UK working day. This suggests that criminals know this is when people will be using their devices, potentially for work during the pandemic, and so they have more chance of hitting a target.
While not all scanning activity is malicious, and some is even semi-legitimate, malicious hackers use port scanning to find weak and vulnerable devices to prey upon.
Which? believes it is vital that the government pushes forward with plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.
The Product Security and Telecommunications Infrastructure Bill, expected to be introduced in 2022, aims to regulate insecure connected products. Among its provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’, will be made illegal.
The consumer champion also wants to see online marketplaces and retailers given additional obligations for ensuring the safety and security of the products sold on their sites, regardless of whether the seller is a third party.
Kate Bevan, Which? Computing editor, said: “While smart home gadgets and devices can bring huge benefits to our daily lives, consumers should be aware that some of these appliances are vulnerable to hackers and offer little or no security.
“There are a number of steps people can take to better protect their home, but hackers are growing increasingly sophisticated. Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”