Sign up to our newsletter
Smart home security has hit the headlines over the past few days, after a Russian website offered a potent reminder of the dangers of devices which connect directly to the internet.
The reminder came in the form of live feeds from unsecured ‘Smart’ CCTV cameras showing homes, businesses and nurseries around the world.
Seeing – even for a second – someone else’s children sleeping is a truly creepy moment, even by the standards of the infosec world- and a reminder of how difficult smart home security can be.
But with major TV manufacturers having issued advice to simply tape over webcams when not in use, it’s easy to jump to the conclusion that ‘Smart Home’ or ‘Internet of Things’ devices are ALL Trojan horses built to make your home less secure.
“Of course there are threats associated with more devices connecting to the internet,” says Graham Cluley, veteran security researcher and We Live Security contributor. “Especially when they are built by companies who may not be well versed in computer security.”
“None of us should be complacent about the potential risks – but there is perhaps more hype than havoc at the moment.”
One researcher showed how he could ‘haunt’ a home hundreds of miles away by hacking into the website for their ‘smart’ lighting system – and last year, one shocking case saw a baby monitor company penalized in the US for a security system so weak that a hacker was able to spy on and insult a baby via the camera, from far away.
Marc Gilbert, of San Antonio, said that he saw the baby monitor move and heard a voice say, “Wake up, you little [expletive]”
Thankfully, there are simple steps security conscious users can take to lock down a home – no matter how connected is.
During the set-up process, these will use a default password. ESET Security Specialist Mark James says that the device itself will be easily found using specialized search engines – and that the URL used to log in, and the default password will be easily found online.
James says, “Education is the key point here, the end user needs to be fully aware that a default password exists and easy instructions on how to change it.”
“When it comes to changing the password, let’s not confuse this with all the advice about having to use a complex password, the point here is not about how hard or long the password is, it’s about NOT using the default password.”
“Of course a complex password is best using a mixture of upper and lower case letters, numbers and characters – but anything is better than the default password… anything!”
Some routers have an irritating habit of reverting to default whenever they are updated. Detailed advice on securing routers can be found here.
If you do update your router, have a check through its settings – make sure, for instance, that the username is not “admin” and the password “password” once again, or that the network’s name has not gone back to the original.
If they have, sigh, and redo the process.
Most higher-grade routers are capable of broadcasting several SSIDs (what users think of as Wi-Fi network names). This allows you to partition off devices you might be less sure of – for instance, your Wi-Fi toilet, and Wi-Fi lighting, from devices such as network drives storing private data.
You’ll need to invest in the more ‘small office’ end of the small office/home office market to enjoy this sort of feature.
As your home gets more connected, you can, for instance, partition off PCs and consoles used by younger (and less security-conscious) members of the family from central PCs and drives that you REALLY wouldn’t want an intruder to have a look at.
For CCTV cameras, remote viewing is an essential – it gives you peace of mind to be able to see into your home. But for other devices, such as baby monitors, it’s not: you are in the home with your baby, so you have no need for the footage to be available via the internet.
You will be able to disable this via the settings menu – and it’s a good idea to do do so straight away. Hackers will use specialist search tools to find connected devices, and if they’re not protected by passwords, your baby is at their mercy.
Simon Rice of Britain’s Information Commissioner’s Office says, ‘The ability to access footage remotely is both an internet cameras biggest selling point and, if not setup correctly, potentially its biggest security weakness.
“Remember, if you can access your video footage over the internet then what is stopping someone else from doing the same?”
Gadgets such as Windows PCS update themselves – which can lead people to expect routers to do the same. They don’t. Updating yours can be fiddly, and is not a ‘silver bullet’ for all problems, but it is worth doing.
Firmware is the code and data which allows routers to function – much like Windows – but it does not update itself. Find the router’s model number: usually printed on the device.
Visit the website for your router manufacturer – and check if there is a newer version. Download it. Connect your router to your PC (via a standard Ethernet cable, available in any electrical store).
The website should tell you a web address for your router’s ‘control panel’ – visit this, and follow the instructions
Malware known as RATs (Remote Access Tools) allows criminals to look through the webcams of compromised PCs – and a repellent class of criminal known as ‘Ratters’ sells access to these via unpleasant sites on the internet.
Ensure your cameras are as secure as you can make them.
Security researchers have shown off attacks where cameras on Smart TVs can be accessed via the internet – and some forms of malware can allow crooks to look through your PC webcam.
If you’re not using it, switch it off. If it’s built in to the gadget, put a piece of tape over the lens when it is not in use.
Think about where you’re pointing your cameras. The point of security cameras is to give you peace of mind – so point them at entrances to your house, rather than giving someone a view of the goods and people in there.
If the camera is showing a view of a door, hackers are unlikely to remain interested.
It’s easy to laugh at some smart home security hacks – such as the one demonstrated against e-toilets. Victims of the hack on Japanese Satis toilets could be assaulted with a remote-controlled flush – or even a blast from the bidet.
Hackers can also use the app to control the air-drying functions at will, “causing discomfort” Ars Technica warned with tongue firmly in cheek.
But as an attack aganst a Canon Pixma printer showed – where a researcher, rather torturously, persuaded the device to play Doom – these are computers. If you can control a computer, you can access data. With every IoT device, don’t take shortcuts – change the default password, take time to understand how they work, and if there are additional security measures, activate them.
Many websites have cleaned up their acts when it comes to demanding strong passwords – but don’t fall into the trap of using a weak one just because a device’s interface doesn’t force you to.
Follow We Live Security’s rules for generating a strong, secure password and use a different one for each ‘smart’ device you’re setting up on your network.
Your router should have a hardware firewall in place (worth visiting the settings menu to ensure it’s ship-shape (and that you’re usng WPA encryption, rather than easy-to-crack WEP) – it’s a good first step for smart home security. Do the same for your PCs and Macs (firewalls are built into Windows 8 and Mac OS X).
Many ‘internet of things’ hacks – such as turning out the lights – will have the most impact/entertainment value for people nearby – ie ‘wardrivers’, or nearby teenagers, or even your children’s friends.
If you’re worried, lock down which devices can and can’t access your network using MAC filters.
Any PC or mobile computing device has a unique identifying number known as a MAC address. If you access your router’s settings, you can select which devices can and cannot connect to your network – meaning for instance, a neighbour couldn’t log in, or a teenage visitor could not access unsuitable sites via a smartphone.
Add the MAC addresses of all authorized devices in the home – iPhones, tablets, laptops etc. – to the router’s authorized list. No other device will then be allowed on the network. You can find the MAC addresses of mobile phones and other portable devices under their network settings, though this will vary for each device. Check with the manufacturer.
As a general rule, the fewer devices which can connect outside the home, the safer you are in terms of smart home security. Disable remote access wherever possible, and your home will be more secure.
The amount of energy you’ll save is not huge – but if you switch off ‘smart’ devices when you’re not using them, your home’s data will be safer.
Author Rob Waugh, We Live Security