USB Drive to Smart Home: Which of Your Devices Can Be Hacked?
The Internet of Things is expected to completely change the way everyday objects and appliances work. Your refrigerator, your car, your door locks, or your window shades could all be connected to the Internet to communicate and be controlled from a hub in the home, or an app on your smartphone. We think about the promise of having smart devices in the home: a thermostat that could learn when you’re home and save you money by turning the air conditioning up a few degrees while you’re away, for example, combining the best in connected technology with the smartest ways to save the environment — and on your electric bill.
But one thing that most consumers don’t think about with Internet of Things are devices. A lot of them are susceptible to hacking, just like your computer (except that no one really makes antivirus software for smart home automation systems.) Just how many are vulnerable? You probably don’t want to know.
A study released by Hewlett-Packard found that 70 percent of Internet of Things devices are susceptible to being hacked. HP Security Research examined 10 products from manufacturers of popular Internet of Things devices, such as ” TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers.” Each device examined also included a compatible mobile app to access or control the device remotely. A majority also included a cloud service in some capacity.
While you might wonder if ten products are really representative of everything that’s on the market today, HP says that the similarities within the product categories led researchers to believe that the results were “a good indicator” of the current state of the market.
Researchers found what the study describes as “an alarmingly high average number” of vulnerabilities per each device examined. These vulnerabilities varied widely, including privacy concerns, insufficient authentication or authorization, lack of transport encryption, insecure web interfaces, or insecure software or firmware, and were described as ranging from “Heartbleed to Denial of Service to weak passwords to cross-site scripting.”
Ninety percent of the devices collected at least one piece of personal information via the device, the cloud, or a mobile app. Seventy percent of the devices used unencrypted network services, and 80 percent didn’t require a password that the researchers considered to be of “sufficient” length and complexity. (They noted that some allowed passwords as simple as “1234″ or “123456.”) Eighty percent of devices raised privacy concerns, 70 percent didn’t encrypt communications to the Internet and local network, 60 percent raised security concerns with their user interfaces, and 60 percent didn’t use encryption when loading software updates.
So what does this mean for you? The vulnerabilities are problematic given that the devices in your home — a smart thermostat or your home alarm system — often have access to your personal information: not only your bank account and social security number, but even your name, address, date of birth, and even in some cases your health information. The HP researchers warned about the potential risks of enabling devices to share that information with each other, even on a home network. “With many devices transmitting this information unencrypted on your home network, users are one network misconfiguration away from exposing this data to the world via wireless networks.”
They also call into question the necessity of cloud services, an area where more privacy concerns originate. The study authors wonder whether devices actually need to collect so much personal information to function properly. From a statistical standpoint, having multiple Internet of Things devices in the home opens up users’ information to a high number of vulnerabilities, which can not only mean that someone else might be able to control your lights or your locks, but that they could tap into the personal information to which your smart home has access.
“As the number of connected IoT devices constantly increases, security concerns are also exponentially multiplied. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business.”
HP isn’t the only one looking with concern at the ease with which many smart home devices, which are expected to grow exponentially in popularity, can be hacked and exploited to expose users’ personal information. Researchers have always looked to expose vulnerabilities before hackers with more malicious intent can exploit them to gain information from large numbers of consumers, and recently they’ve found that many more devices than we’d like to imagine are actually vulnerable to hacking.
Forbes recently reported that researchers at Context Information Security discovered how to hack LIFX smart light bulb systems in order to access Internet passwords. Wall St. Cheat Sheet recently reported that a number of smart home devices — like baby monitors, smart toilets, and home automation systems by Belkin and Insteon — can and have all been hacked, often resulting in attention grabbing headlines, like the story of an Ohio couple awakened by a man who had hacked their baby monitor (reported here by The Economist.)
As if the possibility of your smart home hub or alarm system weren’t worrying enough, researchers are finding that an increasing number of other devices that you thought couldn’t be hacked — or at least, didn’t think about being hacked – are actually vulnerable as well. Medical devices, like insulin pumps, are vulnerable to hacking. Reuters reported that Berlin’s SR Labs found that USB devices like mice, keyboards, and USB drives can be hacked, as it’s possible to load malicious software onto the computer chips that control the functions of the device.
Meanwhile, Symantec found that activity and fitness-tracking devices from major manufacturers are vulnerable to location-tracking, and Reuters reported that cyber security researcher Ruben Santamarta has claimed that he’s discovered how to hack the communications systems of commercial jets via WiFi and entertainment systems. Hospital equipment, cars, microwaves, or refrigerators — just about anything that’s in some way connected to the Internet can be hacked, often with less effort than it would take to gain access to a traditional computer or smartphone.
The Hewlett-Packard study notes that manufacturers can still secure devices before large numbers of consumers are vulnerable, and it can implement security standards that help it find vulnerabilities before hackers do. Most of the vulnerabilities found in the devices examined were described as “low hanging fruit,” and problems that can generally be solved without significantly changing the user experience.
As huge numbers of new devices are connected to the Internet – Gartner expects 26 billion Internet of Thigns devices to be installed by 2020 — security vulnerabilities and privacy concerns will naturally pose challenges to both consumers and manufacturers. For consumers, it’s important to update the software on your smart home devices, just like you would your computer or smartphone, because updates can often fix security breaches or privacy issues. But the underlying problem — that almost anything connected to the Internet can be hacked if security measures aren’t put into place — isn’t one that consumers can solve.
Many of the vulnerabilities, like those discovered by HP researchers, are simple to fix. HP even links to the Open Web Application Security Project’s “Internet of Things Top Ten Project,” a document that walks manufacturers through the nature of the top ten security problems for Internet of Things devices and how to prevent them. Whether your future smart home will be vulnerable to hacking through every device will depend on how well the industry responds to news about vulnerabilities, and how proactively manufacturers adopt security practices to make devices more secure before they ship to consumers — or securely update software for devices that are already installed.
Device manufacturers will need to become much more security minded for the Internet of Things to take off in a way that’s safe and useful for consumers, and the smart home will also need to be a secure home for more people to want to live in it.