Smart homes are hackable homes if not equipped with updated, supported tech
People forget IoT gadgets aren't dumb appliances. gear needs to be fed security, bug fixes
Smart homes are increasingly becoming hackable homes, according to consumer research.
The report by consumer rights organization Which? paints a grim picture for people who have equipped their residences with gadgets, many from trusted tech names.
As with pretty much everything in IT, if you connect a device to the internet, ensuring it's patched and has a decent password is the very least owners can do. Even then, there are no guarantees that this is secure.
Unsurprisingly, the Which? team found that out-of-support devices were relatively straightforward for hackers to compromise. The example of an early Amazon Echo smart speaker was given where researchers were able to take control without the user being aware.
Other devices, such as smartphones and routers, were also exploited. The Which? team were able to infect a Samsung Galaxy S8 smartphone with malware disguised as a delivery text. Siphoning of user data was then possible.
However, in these cases the devices were out of support and "the attack would have been better blocked or detected by a device that was still receiving security updates," Which? noted.
- Insteon's vanishing act explained: Smart home biz insolvent, sells off assets
- IoT biz Insteon goes silent, smart home gear plays dumb
- Amazon Alexa can be hijacked via commands from own speaker
- Hive View security camera customers left in the dark as some gear gives up the ghost
Other devices Which? tested included a Google Nest Hello video doorbell, a HP Deskjet printer, and a Philips TV, "which is supposed to still be supported with updates" but "could be hacked using an easily guessable default password."
Yes, we all know about security patches. The problem with IoT devices is that consumers tend to treat them as appliances. This writer, for example, has a set of speakers more than 30 years old. It is hard to imagine a smart speaker having that sort of longevity in terms of security updates. Insteon springs effortlessly to mind when one thinks about smart devices abandoned by their makers.
There are a few relatively simple steps you can take to deal with the issue. One would be to ditch meaningless terms like "lifetime updates" and label devices with clearer indications of when support will end. Another, according to Which?, would be "mandatory minimum periods for how long different types of smart products must be supported."
"There should be stiff penalties for companies that fall short of standards," the organization said.
Ultimately, the research is yet another reminder user need to take care as they fill their homes with connected gizmos. You might end up with your data unexpectedly siphoned or be an unwitting part of the next big botnet. ®
Andrew Tierney of cybersecurity outfit Pen Test Partners argued in response to the Which? advice that devices could be fully patched or not vulnerable to any particular flaw, and yet still open to abuse and mostly like abused by, say, spiteful ex-partners and anyone else who wants to harass a victim.
Those people might know, or could guess, the password to smart home equipment, or be able to pair with it still by being nearby, just as the technology intended. They would also have the most to gain from spying on a victim's camera or disrupting their heating, versus a random miscreant on the internet.
"Virtually nothing above uses any security weaknesses in a system," he tweeted.
"It's people abusing conventional access to a system."