Kapersky Labs say Smart Home devices expose households to cyber-attack and theft
Russian internet security firm Kapersky says that Smart Home devices expose households to the risk of cyber-attack and physical theft.
The devices studied by Kapersky include a coffeemaker that exposes the homeowner’s Wi-Fi password, a baby video monitor that can be controlled by a malicious third-party, and a smartphone-controlled home security system that can be fooled with a magnet.
In 2014, Kaspersky Lab’s security expert David Jacoby looked around his living-room, and decided to investigate how susceptible the devices he owned were to a cyber-attack. He discovered that almost all of them were vulnerable. Following this, in 2015 a team of Kaspersky Lab antimalware experts repeated the experiment with one little difference: while David’s research was concentrated mostly on network-attached servers, routers and Smart TVs, this latest research was focused on the various connected devices available on the smart home market.
The devices selected for the experiment were: a USB-dongle for video streaming, a smartphone-controlled IP camera, a smartphone-controlled coffee maker, and a smartphone-controlled home security system. The investigation discovered that almost all of these devices contained vulnerabilities.
A baby-monitor camera in the experiment allowed a hacker, whilst using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed hackers to collect owner passwords and the experiment showed it was also possible for a hacker on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.
According to Kapersky, when it comes to app-controlled coffeemakers, it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker examined during the experiment was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s entire Wi-Fi network.
When looking at a smartphone-controlled home security system, Kaspersky Lab researchers found that the system’s software had just minor issues and was secure enough to resist a cyberattack. Instead, the vulnerability was found in one of the sensors used by the system.
The contact sensor, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. When the door or window is opened the magnetic field disappears, causing the sensor to send alarm messages to the system. However, if the magnetic field remains in place, no alarm will be sent.
During the home security system experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window. This meant they could open and close a window without setting off the alarm. The big problem with this vulnerability is that it is impossible to fix it with a software update; the issue is in the design of the home security system itself. What’s more concerning is that magnetic field sensor-based devices are a common type of sensors, used by a multiple home security systems on the market.
“Our experiment, reassuringly, has shown that vendors are considering cyber-security as they develop their IoT devices. Nevertheless, any connected, app-controlled device, is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues - even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners,” said Victor Alyushin, Security Researcher at Kaspersky Lab.