IoT Smart Devices Easy To Hack, Researchers Warn

Israeli security researchers have warned about the ease with which hackers can gain access to off-the-shelf Internet of things (IoT) devices.

The warning, from Ben-Gurion University of the Negev, Israel, said that vulnerable IoT devices includes baby monitors, home security and web cameras, doorbells, and thermostats and they are “easily co-opted”.

This is not a particularly new development. Four years ago the Information Commissioner’s Office (ICO) warned that live video feeds from thousands of webcams, CCTV camera and baby monitors around the world have been hacked and put up online.

Smart devices

The Ben-Gurion University researchers carried out experiments as part of their ongoing research into detecting vulnerabilities of devices and networks. They disassembled and reverse engineered many common devices and quickly uncovered serious security issues.

“It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices,” said Dr. Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering at Cyber@BGU.

“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the con​cern of our researchers who themselves use these products,” said Dr Oren.

And what is worse, it seems that many of these hacks can be carried out just by using a Google search.

“It only took 30 minutes to find passwords for most of the devices and some of them were found merely through a Google search of the brand,” said Omer Shwartz, a Ph.D. student and member of Dr Oren’s lab. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”

It seems that there are several ways hackers can take advantage of poorly secured devices. The researchers found that similar products under different brands share the same common default passwords. These passwords are rarely changed by consumers and businesses so they could be operating infected with malicious code for years.

The researchers were also able to logon to entire Wi-Fi networks “simply by retrieving the password stored in a device to gain network access.”

IoT recommendations

Dr Oren urges IoT device manufacturers to stop using easy passwords and to disable remote access capabilities.

He also advised them to make it harder to get information from shared ports, like an audio jack which was proven vulnerable in other studies by Cyber@BGU researchers. “It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he said.

Consumers and businesses can better protect themselves by only buying IoT devices from reputable manufacturers and vendors; avoid used IoT devices; carry out research into each device to see if it has a default password; and use strong passwords with a minimum of 16 letters.

The advice to always change default passwords was echoed by at least one security expert.

“The nature of our connected lives means that hackers have an infinitely larger surface area on which to launch their attacks,” said David Emm, principal security researcher at Kaspersky Lab. “It’s no longer a case of just securing our desktop computers – now connected devices range from kids’ toys to CCTV cameras, baby monitors, smart homes and smart TVs. To put it another way, the more times you cross the road, the more chance you have of being knocked down – and it’s the same concept with cybersecurity.”

“The government’s recent announcement of IoT guidelines was very welcome, but they must set the standards for developing security practices for IoT devices,” said Emm. “Not only this, but security should be implemented by design globally by manufacturers.”

Kaspersky Lab strongly advises users always change the default password with a complex one instead; pay close attention to security issues of connected devices before purchasing; and check to see if the product can be updated and always apply these updates.

The security threat posed by IoT devices was starkly illustrated in 2016 when researchers at security firm Sucuri uncovered an unusual botnet made up entirely of Internet-connected CCTV cameras.

Quiz: Think you know all about Internet of Things?

Read also : Made in the UK
Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • Most of the retail CCTV systems are manufactured in China. If connected to the cloud through the internet and the server is located in China there could be addition security risks regarding intellectual property and geopolitical data mining.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago