A Realistic Guide to Smart Home (IoT) SecurityMarch 13, 2019
YOUR SMART HOME CAN BE HACKED, and today on the hookup we’re going to figure out whether you should care.
It seems like every week I read about a new vulnerability in the so called internet of things and the articles are usually written as if there is an eminent threat towards me and my family. In this video we’re going to realistically consider the implications of security vulnerabilities within the internet of things, and decide if you should remove all smart devices from your house.
Our reaction to hearing that our smart homes could be hacked is often an understandable knee jerk response where we consider the safety of our families and our belongings. You may have a mental image of someone pulling up with their laptop and using a wifi deauther to knock your cameras offline, and then hacking your smart door lock using a replay attack to easily gain entry to your house. And while this situation is certainly possible, unless you’re hiding government secrets in your house, I think it is a pretty unlikely outcome. A much easier way to gain access to a home without being identified is to put on a hood or a ski mask and break a window with a hammer, not only is it faster, but you don’t need those pesky highly marketable computer science skills.
So if a hacker isn’t going to break in and steal your TV or prescription medicine, why do they want to gain access to your network?
This was honestly a question that I had no answer to, so I contacted a former student of mine named Charlton who is an active in the hacking community and a member of the university of central florida’s hacking team.
I sat down with him back in December for an interview and was a fun and eye opening experience. I’ve posted that interview in it’s entirety if you’re interested in watching it, but I’ll cover the cliffs notes version in this video. Link is down in the description.
The answer to why someone would want to hack your network is, expectedly, that there isn’t one single reason, but the most common motivations for someone you don’t know hacking into your network remotely are mining cryptocurrency, installing botnets for ddos attacks, and good old fashioned causing havoc for the purpose of havoc. Under very rare circumstances you could become the victim of some sort of organized crime ring where users of a specific product like a camera system are targeted because the criminals would have access to a feed that tells them your location, what valuables you may have in your house, and whether or not you are home, but those situations are probably few and far between.
So what devices on your network make you the most vulnerable?
In a recent report from the popular antivirus and security company Avast they determined that roughly 40% of connected homes are vulnerable to remote hacks, and the most vulnerable devices listed in their report? Routers and printers, not exactly what you think about when someone says “smart home”.
So before we start talking about the security of your switches, lights, locks and hubs, there are a few things that you can do right now to drastically increase the security of your network and decrease the likelihood that you will be hacked.
First and foremost: Update the firmware on your router. Your router is the first line of defense preventing outside traffic from accessing your home network. Many popular router firmwares have known exploits that can be used by anyone with the ability to download a pre-written script and follow a set of step by step instructions. These exploits are usually quickly patched by the manufacturer, but the patches require you to download and update the firmware manually, something the vast majority of router owners have never done.
Second: When you log into your router to update the firmware, if you used a password like administrator and password, or root and pass, your entire network is basically open to anyone who wants access. This is the equivalent of locking your front door and then leaving a key under the doormat, all someone has to do is check to see whether it’s there and the rest of your security measures become useless. The same is true for all of your passwords, most of the “hacking” stories that make ito the mainstream news are actually just people using compromised or insecure passwords. If you aren’t already, it’s time to start using a password manager to keep track of your passwords so you can use a unique secure password for every site and device that you need to login to, this video isn’t sponsored by lastpass, but it’s a quality service and one that I can recommend. Even if you’re not going to use a password manager, make sure you never use or leave access to the default login and password for any device that is connected to your network.
Third: While you’re in your router you should disable the option for uPnP. uPnP is a well intentioned feature that allows a device on your network to request to have a port opened for it. This is nice because something like your xbox to ask your router to open port 3074 to allow xbox live to function properly, and it all happens automatically so you don’t need to deal with port forwarding settings in your router. Unfortunately, the uPnP service has been compromised and remains vulnerable. In certain cases a hacker can remotely impersonate a local device and ask your router to open up a port with uPnP. Once that specific port is open a hacker can use different exploits that specifically target services on that port to increase their access to your network. After disabling uPnP it’s also a good idea to check which ports have been forwarded and keep in mind that you want to have as few ports forwarded as possible. Specifically, if you see any of these ports forwarded, and you don’t know what they do you should probably disable them.
If you’ve done everything I’ve just mentioned, your network is likely pretty secure, and will not be an easy target for a script kiddie hacker or a bot crawling the net looking for IP addresses with exploitable open ports. It’s the equivalent of locking your doors when you are away from home and not leaving your valuables in your front yard. Basically, it keeps honest people honest, and it directs the attention of opportunistic criminals elsewhere. But make no mistake, if a skilled hacker is motivated to penetrate your specific network, there’s almost nothing you can do to stop them… and that’s nothing new.
When it comes to home security we can install locks and alarms on our doors, put bars on our windows and monitor our property with cameras, but if someone wants to gain access, it’s still not that hard. Bars can be cut with boltcutters and angle grinders, deadbolts are only as strong as the doorframe they are attached to, and cameras can be disconnected or destroyed. What’s important is for you to evaluate your threat model and figure out what makes sense for you and your situation.
A drug dealer in a rough neighborhood is more likely to be robbed than a middle class family in a gated community, and as such should probably be more security conscious. If your home network contains sensitive and valuable data that pertains to your business and your clients you should probably consider keeping that information on a different vlan than your internet of things devices like your smartTV, refrigerator, and lightbulbs. On the other hand, lets say you’re a high school teacher with nothing but family photos, outdoor security cameras and youtube footage on your network, in that case, even the worst case scenario of a full network breach while still undesirable, is not that big of a deal.
But you didn’t come here to be put at ease, so lets talk about all the nefarious things that bad actors with a smart device in your house could theoretically do from their remote servers. Most obviously: if you have a connected device with a microphone or camera on it, that microphone or camera could be activated remotely to allow a hacker to spy on you and eavesdrop on your conversations.
My tinfoil hat recommendation about this: if you MUST have cameras in your house, make sure they are blocked from accessing the internet, and never expose your network camera ports to the outside world. If you need to view the video feed remotely you can use a VPN to access your local network when you are away. If you are using analog cameras make sure you block the DVR from accessing the internet For voice assistants like amazon echo and google home you should install as few third party skills as possible and make sure your passwords are secure. Amazon and google are still going to collect data about you, but they also invest millions of dollars a year to keep customer data safe and secure in order to avoid bad press.
So what about your smart bulbs, switches and plugs? The companies that sell these devices will collect data about your name, location, the email you use to register, and use habits of the device, and you may not like that they collect this data, but that data doesn’t really put you at risk. The more concerning thing is that the vast majority of these devices allow the manufacturer to “push” firmware updates to their devices without your specific approval in order to improve security and functionality. The problem comes when you realize that a company could easily push a malicious firmware update to their devices that would give them a tunnel into the rest of your network. Since you willingly give your IoT devices access to your home network and the internet a hacker or malicious developer could use that device as an entry point to move through the rest of your network.
My tinfoil hat recommendation about these devices: When at all possible you should run your own firmware on switches, lights, and plugs. If not writing your own firmware you should use firmware that is open source so you can look through the source code yourself to see if anything looks fishy. If you are not able to write your own code, or you don’t know enough about coding to know if something looks fishy, find someone who you trust who is capable of doing those things, and hope they don’t let you down. If it absolutely isn’t possible for you to install your own firmware you should be sure to only buy devices from companies that you trust, and if there is an option to control the device locally you should use that option and then block that device from accessing the internet.
The point I want to make in this video is simple: Smart homes and the internet of things can be hacked, and putting these devices in your home does come with some risk. But the risk associated with these devices is less like bungee jumping in a third world country, and more like installing windows on the first floor of your house. There’s no question that installing windows decreases the physical security of your home, but the quality of life increase from being able to see outside is worth the added risk of a possible break in. In the same thread smart devices add convenience, functionality and fun to our lives and may be worth the slightly increased risk of network penetration.
If you agree with the things I’ve said in this video hit the thumbs up button and let me know down in the comments, if you think what I said in this video is terrible, wrong, and dangerous go ahead and hit dislike and tell me your perspective in the comments section.
Thank you to my wonderful patrons over at patreon for allowing me to make videos like this one that don’t feature any specific products, but instead let me dive into other interesting and relevant topics in the smart home community. If you enjoyed this video, please consider subscribing, and as always, thanks for watching the hookup.