Nearly all the fancy hardware in your connected home is inherently flawed when it comes to security. That's one of the painful takeaways from a new report by Synack, a subscription Security-as-as-Service (SaaS) startup in Menlo Park, California. The company's analysis will be a rude awakening for anyone who thinks they have a bullet-proof home-security system, whether it's a DIY project or a pricey custom job.
We became aware of Synack's study on Wednesday via this Gigaom story, but we covered the relative insecurity of routers and IP security cameras nearly a year ago, and that of network-attached storage last August. Unfortunately, not much has changed since then.
To drive that point home, Synack tested 16 products in four categories: Cameras, thermostats, smoke/CO detectors, and home-automation controllers. Synack researcher Colby Moore, who put the report together, said he was able to root almost every device in less than 20 minutes. Most of the gadgets suffered from weak password policies; but collectively, there's a long list of issues, including open ports, built-in backdoors, and lack of encryption.
Cameras were the worst offenders, according to Synack's report. Of the five tested, each suffered from multiple security issues. Two--D-Link's DCS-2132L--and Foscam's FI9826W--were dinged for obfuscating rather than securing data in transit. Obfuscation involves masking data in any number of ways, like scrambling letters.Unlike encryption, however, obfuscated data doesn't require a security key to decode--prying eyes need only to figure out how the data was cloaked.
Think about that for a moment. There's an uncomfortable level of creepiness that comes from knowing a hacker could be using your cameras against you, whether it's to map out the times you come and go during the week, or to create a blueprint of possible entry and exit points by looking through your baby monitor. Ideally, Moore recommends all communication use bidirectional encryption.
The Control4 HC-250 system controller, sold only to custom installers, was knocked for a "history of unpatched security issues" and a "built-in unauthenticated remote management feature" (in other words, an insecure backdoor that a hacker could exploit).
It's not just about you
What's described above is a pretty sophisticated (and personal) level of attack that would require plenty of planning and a high level of risk, but it's not the only scenario. In this November blog post on hacking the home, Synack describes how a hacker can rather easily exploit seemingly trivial vulnerabilities and infiltrate thousands of IoT devices with less than a day's effort.
There's strength in numbers for whatever nefarious purposes the hacker might be cooking up, or he could simply dump the data online, revealing thousands of usernames and passwords. It's a headline that's played out multiple times each year, and as the IoT market grows, it gets closer to becoming a viable target for this kind of data harvesting. This is especially true if these devices don't start implementing better security measures, such as requiring stronger passwords.
"We've seen the trend this year, the connected home is blowing up," Moore said in an email. "At CES, nearly every device was networked. At this rate, it's only a matter of time until there is a major widespread breach or hack of personal data involving one or more IoT devices. Consumers are already hesitant but willing to take a leap of faith. So what happens when this breach occurs? It's about to make worldwide headlines and to be taken out of context. One could imagine that the IoT industry's sales and trust will be significantly impacted."
The long game: Accessing your router
Some of the concerns in Synack's are somewhat bit overblown. One device was dinged for being susceptible to a supply-chain attack, where somewhere between the assembly line and a retail shelf, a ne'er do well could intercept and physically tamper with the device, installing malware or altering the firmware before it reaches the end user.
There's also bit in the report about Wi-Fi jamming; but when we asked Moore if that's truly a concern for seemingly benign devices like smart thermostats, he said for those types of products, worst case scenario is "temporary loss of remote functionality."
At the same time, security shortfalls in these devices still pose a risk. Let's say you're not concerned if someone hacks into your thermostat and changes the temperature. It's annoying, maybe even costly if you're away on vacation when it happens and aren't monitoring things, but you'll survive. The smart thermostat, however, isn't the real target. It's merely a stepping stone to your router.
In a follow-up blog post, Synack lays out a scenario where a hacker could upload custom firmware into a compromised consumer device, effectively turning it into a remote login platform. Now the bad guy can penetrate your home network, where it's easier to gain control of your router. Once he does that, you're in for a very bad day because he can monitor your online behavior and collect personal information, such as bank logins and email communications.
What can you do?
We asked Moore if consumers should avoid today's crop of connected-home appliances and home-automation controllers. For the most part, he said, such an extreme measure isn't necessary.
"It really depends on the consumer and their concerns. In general, I would say, no, go out there and get the newest, latest, greatest tech," Moore said. "Just be aware of the security implications and hold manufacturers to high standards. For less tech-savvy consumers that are concerned with security, purchase well-reviewed and -secured devices with a reputation for ease of use (such as Nest). There is always a risk in adopting new technology, but the benefits often outweigh it."
That doesn't mean you should be lax about security. Do the opposite: use a hard-to-guess password whether your device requires one or not. For hackers, it boils down to a numbers game; they're not after you personally, they're just looking to breach as many devices as they can. Don't let your home--connected or not--be an easy target.