Thousands of hacker attacks were launched on a network of smart home devices designed by researchers to assess the risk the gadgets pose to consumers.
During the initial week the "honeypot" network was online, 1,017 unique scans or hacking attempts were directed at the devices on the net, which included smart TVs, printers, wireless security cameras and Wi-Fi kettles, according to researchers at the NCC Group, Which? and the Global Cyber Alliance.
The attacks continued to grow, reaching 12,807 during a subsequent week, with 2,435 of those attempts to log into a device with a weak default username and password.
Most of the devices in the "hackable home" environment were able to prevent attacks through basic security protections, although this doesn't mean they'll never be at risk, the researchers explained in a statement.
The most concerning issue we found, though, they continued, was a connected camera which had a weak default password, which allowed a suspected hacker to gain access to the camera stream. However, the camera lens was taped over.
"Most of these attacks are automated," observed Matt Lewis, an analyst with the NCC Group, a cybersecurity company in the UK.
"They don't know what they're targeting," he told TechNewsWorld. "They just know how to access a service and try some common weak user name and password pairings."
"The one that stood out to us was user name admin and password admin, which is a common configuration for a lot of devices," he added.
However, he added, "We did see some CCTV camera activity that could be traced to a known threat actor in Russia."
Brad Russell, a vice president at Interpret, a global advisory company, explained that device data in the smart home space is a lot different than personal identifying information.
"It's a lot harder for people to worry about a piece of data from their thermostat, water sensor or garage door opener," he told TechNewsWorld.
"And there hasn't been a lot incentive for hackers to access smart home data," he added. "Their energies are better spent installing ransomware and stealing really valuable data like credit card numbers and socials."
Nevertheless, that doesn't mean smart home devices can't be leveraged to do harm to their owners.
"A smart thermostat that's hacked might provide a gateway to the home network and then access to personal computers and digital files," explained Adam Wright, a senior research analyst for the smart home at IDC.
"A smart camera or baby monitor that is hacked can facilitate the same malicious activity as the thermostat," he continued, "but, in addition, the camera itself can be used to spy on people or the camera can be used to communicate or harass people in the home."
"Any device that is connected to the internet that is compromised can be used as a jump point to other devices," added Tom Brennan, chairman of Crest USA, a global not-for-profit cybersecurity accreditation and certification body .
"It can also be used as an exfiltration point to get out sound, video and data out of a home," he told TechNewsWorld.
"The most benign attackers are geeky kids learning technology by breaking it," he told TechNewsWorld. "They would not look for financial gain. They are pranksters that enjoy waking someone by turning on their smart light bulbs in the middle of the night."
"They are not completely harmless though and can cause damage or money loss, if they decide to play with devices connected to your digital marketplace accounts," he said.
"Another type of attacker can be compared to a prowler, checking on unlocked doors in a neighborhood," he continued. "In a 'drive-by compromise' they are looking for financial gains and will exploit what they can."
"Probably the most abominable attackers are child abusers and pedophiles, hijacking cameras and internet-connected toys," he maintained.
"Finally," he added, "for a very few high-profile targets, smart devices can be just one of the attack vectors that allow adversaries to collect intelligence and break into their lives."
Smart home devices are attacked by hackers in many cases because the attacks are easy to do, noted Wright.
"Many devices are still being shipped from the factory with inadequate security protections in place, such as security codes to access the device being 1234 or 0000," he said.
He noted that leading security concerns of the survey's respondents focused on unauthorized control of devices, identity theft and conversations being recorded. Fewer consumers were concerned about purchase habits being discovered.
For consumers who want to protect their smart home devices from hackers, Sotnikov offers these tips:
During the initial week the "honeypot" network was online, 1,017 unique scans or hacking attempts were directed at the devices on the net, which included smart TVs, printers, wireless security cameras and Wi-Fi kettles, according to researchers at the NCC Group, Which? and the Global Cyber Alliance.
The attacks continued to grow, reaching 12,807 during a subsequent week, with 2,435 of those attempts to log into a device with a weak default username and password.
Most of the devices in the "hackable home" environment were able to prevent attacks through basic security protections, although this doesn't mean they'll never be at risk, the researchers explained in a statement.
The most concerning issue we found, though, they continued, was a connected camera which had a weak default password, which allowed a suspected hacker to gain access to the camera stream. However, the camera lens was taped over.
"Most of these attacks are automated," observed Matt Lewis, an analyst with the NCC Group, a cybersecurity company in the UK.
"They don't know what they're targeting," he told TechNewsWorld. "They just know how to access a service and try some common weak user name and password pairings."
"The one that stood out to us was user name admin and password admin, which is a common configuration for a lot of devices," he added.
Malicious Mixed Bag
Lewis noted that much of the activity spotted by the researchers was probably harmless. "It was from large internet companies scanning the internet to see what was out there," he said. "There were also hackers looking for vulnerability IP addresses because they're more curious than nefarious."However, he added, "We did see some CCTV camera activity that could be traced to a known threat actor in Russia."
Brad Russell, a vice president at Interpret, a global advisory company, explained that device data in the smart home space is a lot different than personal identifying information.
"It's a lot harder for people to worry about a piece of data from their thermostat, water sensor or garage door opener," he told TechNewsWorld.
"And there hasn't been a lot incentive for hackers to access smart home data," he added. "Their energies are better spent installing ransomware and stealing really valuable data like credit card numbers and socials."
Nevertheless, that doesn't mean smart home devices can't be leveraged to do harm to their owners.
"A smart thermostat that's hacked might provide a gateway to the home network and then access to personal computers and digital files," explained Adam Wright, a senior research analyst for the smart home at IDC.
"A smart camera or baby monitor that is hacked can facilitate the same malicious activity as the thermostat," he continued, "but, in addition, the camera itself can be used to spy on people or the camera can be used to communicate or harass people in the home."
"Any device that is connected to the internet that is compromised can be used as a jump point to other devices," added Tom Brennan, chairman of Crest USA, a global not-for-profit cybersecurity accreditation and certification body .
"It can also be used as an exfiltration point to get out sound, video and data out of a home," he told TechNewsWorld.
Hacker Magnets
Ilia Sotnikov, a security strategist and vice president of user experience at Netwrix, a visibility and governance platform maker in Irvine, Calif. noted that several types of hackers are attracted to smart home devices."The most benign attackers are geeky kids learning technology by breaking it," he told TechNewsWorld. "They would not look for financial gain. They are pranksters that enjoy waking someone by turning on their smart light bulbs in the middle of the night."
"They are not completely harmless though and can cause damage or money loss, if they decide to play with devices connected to your digital marketplace accounts," he said.
"Another type of attacker can be compared to a prowler, checking on unlocked doors in a neighborhood," he continued. "In a 'drive-by compromise' they are looking for financial gains and will exploit what they can."
"Probably the most abominable attackers are child abusers and pedophiles, hijacking cameras and internet-connected toys," he maintained.
"Finally," he added, "for a very few high-profile targets, smart devices can be just one of the attack vectors that allow adversaries to collect intelligence and break into their lives."
Smart home devices are attacked by hackers in many cases because the attacks are easy to do, noted Wright.
"Many devices are still being shipped from the factory with inadequate security protections in place, such as security codes to access the device being 1234 or 0000," he said.
Consumer Protect Thyself
Wright added that security is important to smart home device buyers. He cited a 2020 IDC survey that found 71.4 percent of smart home users were at least somewhat concerned about device and data security.He noted that leading security concerns of the survey's respondents focused on unauthorized control of devices, identity theft and conversations being recorded. Fewer consumers were concerned about purchase habits being discovered.
For consumers who want to protect their smart home devices from hackers, Sotnikov offers these tips:
- When you get a new device, always change the default password or set the password, if it's not protected, out of the box.
- Check other security settings and consider hardening them. These will depend on the type of device. They include options such as turn off the mic on a voice assistant when you don't use it, disable access to your address lists, set additional protection for online purchases and turn on additional confirmation or notifications.
- Make sure to enable the setting to download and install security patches, if the device manufacturer provides them. Unpatched vulnerabilities can provide hackers the quickest way to get into your system.
- Consider segmenting your home network so that someone hacking the smart fridge and lightbulbs cannot jump over to your PC and gain access to your personal or work IT systems.