Connecting a new appliance to your home’s Wi-Fi network or broadband modem could increase the risk that data such as passwords will be taken from computers in your house. Such is the warning from antivirus company Kaspersky Lab in a forthcoming report on the side effects of more and more home devices being connected to the Internet.
By now most consumers are aware that security is a major problem for their laptops and PCs, says David Jacoby, a security researcher at Kaspersky Lab. But they don’t realize that appliances like TVs, DVD players, and printers that connect to a home network are vulnerable to similar threats. What’s more, most such devices have no security protections built in whatsoever, he says (see “Securing the Smart Home, from Toasters to Toilets”). “Consumers need to understand that the devices that they buy might be vulnerable,” says Jacoby.
Jacoby recently hacked several Internet-enabled devices connected to his own home network, including his TV, printer, router, and remote storage devices. He came up with a laundry list of flaws in several everyday products, and is working with manufacturers to fix them before making a report public to highlight the severity of the problem.
Jacoby is not detailing the brands and models of the devices he hacked yet until the manufacturers have installed fixes. But the worst offenders, he says, were two network-attached storage devices, which between them had 14 vulnerabilities. One of them was particularly easy to wrest remote control of because it had a default administrator password that was just the character “1.”
The storage devices fetch software updates from their manufacturer over the Internet. But Jacoby showed that feature could be exploited by someone outside his home to connect to any other device on his home network, including his laptop.
Jacoby also found that his smart TV didn’t use encryption when connecting to the Internet, meaning an attacker could intercept data such as payments being made to buy a movie. And his router had a vulnerability that could be used to make contact with any device on his home network.
A preliminary report on Jacoby’s domestic hacking spree can be found here. A fuller report naming the vendors should be forthcoming.
There is currently little evidence that many criminals or tech-savvy pranksters are stalking the Internet with a view to exploiting such flaws. But Marc Rogers, principal security researcher with mobile security company Lookout, says that this is likely to change as connected devices become more pervasive.
“Dealing with the privacy and security aspects of the Internet of things is going to be one of the biggest challenges we have faced in security for a long time,” he says. “We are wearing it and installing it throughout our living spaces and other places where technology has not usually had the opportunity to go.”
Rogers says that many of the features of security software standard on traditional computing devices, such as laptops and smartphones, could also defend these newer devices. However, so far those techniques aren’t being used on the new wave of networked home devices, says Jacoby. “Nobody is doing anything at all about them.”
The best solution for many devices would be to not give them the ability to connect to the Internet at all, he says.
Such restraint seems unlikely, with manufacturers seeing Internet connectivity as a way to differentiate their products. Cisco recently estimated that today there are 10 billion connected devices in homes and offices and that the figure will reach 50 billion by 2020.