Posted by Taylor Armerding on October 10, 2018
The original version of this article was published in Forbes.
“Smart but insecure” sounds like you’re talking about a high achiever who needs therapy.
Which you could be. But in the online world, it applies to semi-animate objects—the hundreds of millions of devices in American homes that are, at one level, smart.
They range from thermostats to appliances like ovens and refrigerators, to TVs, kids’ toys, vacuums, speakers, light bulbs, security cameras, baby monitors, door and window locks, plugs and switches, smoke detectors, and, of course, your virtual assistant, all controllable through your voice or, yes, those other smart things—your phone or other computing device.
They offer almost magical convenience—responding to remote commands, warning you when something is wrong or about to go wrong, or just letting you know when you are running low on milk.
But most are also notoriously insecure—vulnerable to hackers—and are in need of their own kind of therapy, which in this case is software that is not riddled with vulnerabilities that frequently can’t even be patched.
So, given that we are in National Cybersecurity Awareness Month, it would be good to start in the home, where you should be aware of the scale of the problem, aware that it is not going to be fixed by government or the private sector anytime soon, and aware of what you can and should be doing to make sure you don’t sacrifice security for convenience.
The problem is both massive and pervasive. Numerous studies confirm what is frequently called the “terrifying” reality that virtually all smart home devices, including extra-sensitive ones like baby monitors and “hubs” that control multiple devices, can be easily hacked.
One of the more recent reports comes from a team at Ben-Gurion University, which demonstrated earlier this year that most of these devices could be compromised in less than 30 minutes, simply by doing a Google search of the brand and tracking down the default factory-set passwords.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” said Yossi Oren, one of the report’s researchers.
And which is also, sadly, nothing new.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices.”
—Yossi Oren, assistant professor, Department of Software and Information Systems, Ben-Gurion University
Almost five years ago, following a conference on the Internet of Things (IoT) hosted by the Federal Trade Commission (FTC), panelist Craig Heffner said the biggest reason for such a lack of security is that “people don’t make purchasing decisions based on the security of a product. They do it based on the product’s features, looks and price.” Heffner, a vulnerability researcher with Tactical Network Solutions, asked, “Why in the world would a company spend time and money on something that users don’t care about and will never see?”
Heffner’s 2013 assessment of the state of the industry is, apparently, still the case. And as is obvious, a hacker getting control of your door locks, your garage doors, or your security cameras can put you and your family at physical risk, a problem much worse than needing to get a new credit card.
It will also likely be the case for some time. While there have been various legislative efforts and calls for mandatory software security standards, the industry remains essentially unregulated.
“Why in the world would a company spend time and money on something that users don’t care about and will never see?”
—Craig Heffner, vulnerability researcher, Tactical Network Solutions
Among those efforts is a bill co-sponsored a year ago by Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., titled the Cyber Shield Act of 2017, that would launch “a program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.”
But it would be voluntary. And so far, while there was one hearing on it this past April, it hasn’t even made it out of the Committee on Commerce, Science, and Transportation, never mind to the floor of either chamber.
All of this means if you want to avoid having your smart home put your privacy and physical security at risk, it’s kind of up to you to take measures that keep you from becoming, as they say in the security industry, “low-hanging fruit.”
And there are things you can and should do. You don’t have to be a techie either—you just have to invest some time and maybe some money. These are essentially security basics. With thanks to Larry Trowell, principal consultant, and Ofer Maor, product marketing director, both of Synopsys, and Craig Spiezle, managing director Agelight Advisory Group, here is a brief list of measures that are still voluntary, but probably shouldn’t be:
Beyond that, use unique passwords and usernames. “The answer is not longer, or more cryptic passwords,” Spiezle said. “The problem is the reuse. Each password shouldn’t be used for anything else. And don’t make your username something obvious, like your name, or your first initial and last name.”
No, they are not bulletproof, but neither is the lock on your home, which still has considerable value in blocking, or at least slowing down, someone hostile trying to get in.
Trowell notes that a number of routers offer that option.
And Maor said, given the reality that most home networks will be breached in some way—if not from a targeted attack, then an automated one—this is the best way to limit access to everything in the home.
“I run my home on multiple network segments,” he said. “There is my ‘office’ network with the laptops, NAS, and all the important sensitive parts of my home. There is my ‘Home IoT’ network, which holds most of the IoT devices. This limits a breach—if one of my IoT devices gets hacked, the hacker may be able to propagate from it to other IoT devices, but will not be able to reach my laptop or my sensitive data,” he said.
Most routers are notoriously insecure, but even better ones can be breached. And as Trowell noted, routers “are statistically more likely to be the entry point.”
Updates are not nearly as well-publicized as product recalls, but they can be just as crucial. It’s good to get into the habit of checking regularly to see if any are available.
It’s also worth checking on whether your vendor has released a new, more secure model. “Comcast doesn’t tell you that they have a new router available unless you ask,” Spiezle said.
Especially when homeowners add one device at a time, it can be easy to lose track of one or more of them. As security experts have been saying for years, you can’t secure what you don’t even know you have. Also, adding devices incrementally may seem gradual, but it can increase complexity exponentially.
“They’re like a password manager,” Spiezle said. “They provide a dashboard with an API (application programming interface) that connects with all the devices in your home.”
They can be pricey, but most include functions like antivirus, antispyware, antispam, network firewall, intrusion detection and prevention, content filtering, and leak prevention. Some also provide VPN (virtual private network) support.
Yes, this all takes time and, in some cases, money. But look at it this way—if you can afford the devices, can you afford not to secure them? By doing so, you’re securing yourself.
Security starts with awareness. Be aware.
Get the latest Software Integrity news, thought leadership, and more.