For years, research has highlighted various security flaws in millions of internet-enabled "smart" gadgets. But it wasn't until recently, when "Internet of Things" (IoT) devices like DVRs and webcams sustained a massive breach, that these security flaws became a pernicious reality.
The hackers were able to corrupt and co-opt these ordinary smart devices into a colossal botnet army, where they levelled a deluge of junk messages at Dyn, an internet management company that routes web traffic for popular websites, including Twitter, Netflix, Reddit and Amazon. The sheer volume of bogus messages caused Dyn to crash, and as a result, users were cut off from many of those sites. The hacker remains unknown, but their weapon of choice, at least in part, has been identified.
Mirai, an easy-to-use software, infiltrates household devices, harnessing them for their own exploits unbeknownst to the owner. The cameras that were hacked and manipulated had low-end security features - and users had largely neglected to update factory-default usernames and passwords.
While this attack may conjure up large-scale cyberwarfare scenarios, it also underlines a very real and growing need to beef up security around the smart home, which has been severely lacking since the beginning. And if the problem isn't dealt with, it'll only continue to grow: Cisco Internet Business Solutions Group projects smart devices will reach 50 billion by 2020, a significant jump from 15 billion today. Intel estimates the number to be around a whopping 200 billion devices.
Why are smart home devices so easy to hack into?
In the face of economic demand, smart devices' security has largely fallen by the wayside, as they're perceived as a time-consuming expense. Many of the DVRs and webcams involved in the Dyn attack were shipped with factory-default settings and didn't require consumers to create a new username or password. Consequently, these users unwittingly became a target for Mirai, which enlisted their devices in a campaign against specific websites.
But even for users savvy enough to update their defaults, hackers still have more obscure means of infiltrating their smart devices. Not-so-user-friendly services like SSH and telnet offer an advanced access point for hackers, since the password hardcoded in the device isn't the same as the password on its web app. And unfortunately, the task of changing the password hardcoded into the firmware is likely too ambitious for the average consumer.
What are the security risks involved?
Smart home devices "learn" by gathering and exchanging data to tailor their operations around the unique habits of the household. For instance, a smart thermostat's data-gathering sensors can detect when people are home and learn the temperature settings of the home's occupants. The more integrated smart technology becomes, the more sensitive data they can accrue and use for optimal customization.
However, increased connectivity also means a single access point could easily provide cybercriminals a terminal to the home's central hub, where they can pirate other smart devices using the same Wi-Fi network. From there, hackers have access to all sensitive data, including when people are home, banking information, credit information, sensitive documents and more.
As opposed to a home break-in, which typically involve obvious signs of forced entry, these types of attacks are far more insidious and create a new form of anxiety for homeowners. A smart door lock could be furtively manipulated remotely, and connected home monitoring systems could be corrupted and used to spy on the home's inhabitants without their knowledge. The risks abound, and smart home security currently relies too heavily on the end user.
So what can users do to better protect their smart devices and themselves?
While it's clearly not the be-all and end-all remedy, changing default settings should be your first order of business. Make sure passwords are updated at least once a year and never use names, addresses or birthdays; and while it should go without saying, passwords like "admin," "1234," and "password" should never, under any circumstances, be used.
On top of effective password management, though, consumers should implement an extra authentication protocol, such as a one-time pin you'd receive by text to prevent unauthorized users from gaining access. Biometric authentications are another method gaining popularity, which rely on a unique thumbprint, eye-scan or the user's unique keystrokes, making it difficult for hackers to bypass.
Unlike your smartphone, most IoT devices don't automatically prompt you to run a software update. So about once a month, open your smart gadget's corresponding web app and check for firmware updates. It's even a good measure to check for updates that might've been released between the time the device was manufactured and the time it arrives on your doorstep.
In the event of a security breach to your home, immediately update passwords, notify credit card companies and file a police report. Always avoid public Wi-Fi networks, and don't keep gadgets on the same network as your PC. By segmenting Wi-Fi connection, you can at least minimize hacking across different devices.
Although the onus is on smart-home-device manufacturers to escalate built-in security, users should nonetheless be as vigilant about their usage as they are with credit cards, computers, sensitive documents and locking the front door.
Arun Ganesan serves as Vice President and Chief Technology Officer at Esurance, where he's responsible for data management, cyber security, business intelligence, infrastructure and operations.