Internet of Things Exposed or 10 Ways to Hack a Smart Home
Home automation devices are not as smart and unshakable as you might have thought. So many people can outsmart your smart home appliances by just logging into your “account” without your knowledge.
Picture this: It’s a cold Sunday morning, and your head feels like it’s had enough of a chronic case of Insomnia. You probably expected it, so you were smart enough to leave your smart coffee maker on duty overnight. You can hardly get yourself together to get out of bed – especially because, well, it is a Sunday morning.
Just when your willpower is shifting to good-enough gear, your phone beeps. You have an incoming call. No, it’s not the boss. A stranger is calling home using a new number. What’s up?
“So many cool devices you have in your home. I can control them from here, you know,” the voice on the other end is not your boss. In fact, you never heard it before. A quick scan around, and you realise the guest is not inside your home. And it’s no Fools Day or a birthday surprise.
You are dumbfounded. Then your home starts to feel colder as the stranger skews with your Internet-connected thermostat. The smart coffee maker automatically stalls, and the lights in the exact room you are in flicker. That supposedly impregnable Samsung smart television you bought recently turns on immediately, switches to MTV and calls your attention back to the living room. Only then does peaking Tom inform you he’s doing all that–remotely.
Your home is under a hack attack. What are you to do from there?
The (Not so) little problem with the Connected Home Hacks
Snap back to reality and this is not an analogy, really. It is smart home technology on steroids – in this case, abused. Someone hacking into your smart home is a scary thought, but it’s entirely possible.
In 2015, there are over 2.9 billion Internet of Things (IoT) devices in various smart homes across the globe. In the next ten years, there’ll be about 20 billion connected products in use worldwide, according to industry experts. In 2025, more of these smart automation gizmos will be flying off store shelves faster than Apple Inc. sells iPhones to its cult of followers every Q4.
Most of these products are, and will be, home-oriented. In fact, even a good number of wearables, smart textiles, and in-dash vehicle products can count in as connected homes products. That could be exciting news on one hand. On the other, though, it means your smart home puts you in danger of tech espionage, hacking and privacy encroachment that can make Facebook’s user privacy issues blush.
- Smart light bulb hacked. A callous next-door neighbour or complete stranger can shoot your lighting bill through the roof by periodically shining your interior lights on and off at will.
- Smart security system breach. Can anyone ignore that private property line up front and breach your doors without sounding an alarm, or as much as ringing a bell? Yes, they can and in less than 20 minutes.
- Hacking a connected toilet. The future of pranks could be as cold and disgusting as flushing the toilet just as you, or your date, or your mom, is busy in there.
Below we detail some easy pass paths anyone with average tech knowledge can use against you, or how to hack into smart homes yourself, and how to protect your smart home from hackers.
Hacking the mobile app user interface of a smart home appliance
Most manufacturers think creating and assigning super important tasks to connect through the mobile app of a connected home appliance is brilliant. Well, not as things stand for now. Simple blunders on the users’ part can open the flood doors to cyber attacks launched from their mobile apps back-end interfaces.
Technology and privacy are not exactly bedfellows, and here are some easy-to-do smart home hacks to prove it. Mark you; all or any of these could also be the same tips, tricks, and tools that could make your connected life a dance with the devil that may last forever, when someone else hacks your home automation devices.
10 Ways to Hack a Smart Home
Systems and devices in your home can be accessed from anywhere in the world, according to Rob Ragan of Bishop Fox and the senior security associate there. Hackers or pranksters need not cross the property line to get to you.
Earlier on in 2015, security firm Synack tried and tested 16 smart home appliances and the results were shocking at least. Here’s why Synack senior security engineer, Colby Moore thinks the safety of IoT appliances is “atrocious”.
How to hack a smart camera
Researchers from Synack singled outsmart cameras as the least secure appliances in the smart home. In fact multiple safety studies now clearly indicate that home cameras—especially cheap units you’d get from Home Depot for as little as $70 and install them yourself—are the biggest threat to your digital life.
In November of 2014, they exposed that as many as 73,011 “smart” cameras in 256 countries were dumb, security wise. Forget last year’s SnapChat photos leaks; your very own smart camera is hackable and could externally stream your intimate moments.
1. Not changing the default password
Most people rarely change the default password and username shipped to them with a smart camera from the manufacturer. Even after using the cams for quite a bit, others are not sure how to change security settings such as passwords—pretty much like most people never tweak their PC technical specs.
Also, most buyers dispose of their manuals within weeks, and even days, of buying the smart camera. Unfortunately, default passwords can be found online by any casual browser on the manufacturers’ websites after a simple search.
Synack researchers found massive security black holes in Foscam, Panasonic, and Linksys cameras, for example. One camera IP link could have as many as 16 channels—and be displaying that much security footage to strangers in real time. That is also what happened with TRENDnet wireless IP cameras users a few months back.
A hacker only needs to find a home’s passwords lying around on the web as basic product information, to stage external eyes on your schedules, rooms, determine what’s within each, as well as occupants and their daily schedules too.
After scanning and finding local wireless IP cameras, the hacker can access live video stream from the garage, baby crib, porch, bedroom, living room, and anywhere there’s such a camera and be able to execute a real break in—after all, they know when everybody is not home.
2. Buy, bug and send it back
According to Colby Moore of Synack, advanced hackers can either remotely breach smart homes themselves, or create and give access to hard criminals. Either can then get in control of a connected homes neighbourhood, ideally near the smart cameras’ store.
A hacker can buy many smart cameras offline, re-work the hardware and install their spyware. They can then get a shrink wrapper from eBay, repackage the camera and exploit leniency in product return policies to have the products re-included in the store’s inventory awaiting an unsuspecting buyer. Once someone buys those particular smart cameras, they’d be darned.
And hackers can, from then onwards, benefit from spying on the owner’s every activity from afar. Colby says that Synack researchers tried this and nobody noticed the potential fully.
3. Hack in the Box
Check out this Hack in the Box staging (PDF) in Amsterdam sometime back, on how to remotely breach your camera here.
A hacker can utilise click-jacking to use Adobe Flash to breach another online PC’s webcam.
5. Shodan – An IoT Search Engine
A cold geek can use Shodan. Shodan is a web search engine that displays over 100,000 vulnerable wireless IP cameras to, technically, anyone.
6. Google Dork
Use Google Dork to access wireless IPs of unsecured surveillance cameras from unsuspecting inhabitants at random.
Using BeEF, a hacker can create an unknown user of a surveillance camera by using a backdoor protocol to gain access to what you’d see as the camera user.
8. Wink Relay – Connected home wall controller
An attacker can gain complete control of this device simply by targeting its authentication flaws. The attacker can then control microphones inside the home and listen in on sensitive conversations and probably use the information collected to stage sabotage or a physical break-in.
9. Ubi – Voice activated hub
Unethical hackers can take advantage of the system’s random code execution and verification flaws and use data managed by Ubi to achieve maniacal ends.
10. Chamberlain MyQ Smart Garage Openers
Exploiting the security bugs in the system could lead robbers to know exactly when the garage doors open or close. That means thieves are notified whether the home inhabitants just left or are still around—a goldmine of information for thieves wanting to break in.
11. Local networks and DoS
Hacking and exploiting local networks and DoS are other clever means an attacker can use to control home cameras (that are not internet-connected) in more than one home, provided they are all connected by the same local network.
According to one study, webcam hacking is an alien phrase to half the American population. That number is wickedly large in the case of global communities. And even the ones who have some basic info—like knowing the camera light should come on when it’s working—may be outmanoeuvred as well.
The above happened to Miss Teen USA 2013, Cassidy Wolf. The hacker wanted monetary compensation in exchange for not publicly releasing intimate photos of Miss Wolf in her bedroom. She said in a public awareness statement later on that her webcam’s light never even blinked, yet she was being recorded.
How to Hack a Smart Home IoT Hub – A Case Study by Forbes
If you have delegated your home temperature control, lockdown mechanism, and other smart home control hub functions to a “smart” thermostat, for instance, here’s how a coldhearted geek can outsmart the system, plan and execute a major coup d’état and you’d know nothing about it.
Two years back, Forbes staff and editor, Kashmir Hill, dialled up a family she knew nothing about in another state from her place in San Francisco, California. After a few minutes searching online, she had been able to pinpoint a vulnerable home automation system, and she (ethically) took advantage. Asked by the homeowner, a Mr. Craig Hartley, to switch bedroom lights on and off, she did so immediately.
The home’s systems information was web-searchable. That meant search engines must have indexed it. Further, meaning that the home’s sensitive information was accessible to anyone with basic smart home knowledge and an internet connection—pretty much like logging into someone else’s Facebook account without as much as inputting a password.
That home had an Insteon home automation system installed. Apparently, the system was meant to help users remotely control cameras, hot tubs, locks, televisions, lights, garage doors and water pumps, through a web portal or via a smartphone app. The information revealed finer details regarding family members and their daily schedules, physical home location and other sensitivities that founder and CEO of cybersecurity firm Cybersponse, Joe Loomis, says could lead to a physical break-in or stalking activity against inhabitants.
Even more unsettling is the fact that Insteon users were never informed about this bug since Hartley’s home was only one of the many others vulnerable to this type of cyber attack. Fortunately, another online security firm, Transwave, informed Insteon about the unsecured black holes. However, even after the latter had supposedly fixed the problem, hacking the same homes was still possible. Insteon blamed users for not minding about setting their security details right.
Earlier in 2015, Veracode, a cloud services firm, released a whitepaper detailing how six smart home automation systems were vulnerable to external commandeering.
Some of their research findings on the 6 IoT hubs is highlighted in an infographic here:
Perhaps the fiery, biggest problem facing the industry at the moment is the fact that there are no standardising rules as to what goes or stays as far as security standards of smart devices is concerned.
Manufacturers of these products, also, have (mistakenly) assumed users know what to do with their gizmos security settings. Adapting a ship-now-patch-it-later mentality, they’ve failed to set up deterrent measures to ship with their products by default, according to Synack’s Colby Moore.
Worse, most of the companies making IoT devices have little expertise or experience in cyber security. And have left the average person to bog down their mind with technical configuration details on securing IoT appliances they haven’t dealt with before. That has meant technical-minded, but atrocious hackers have terrorised a baby in a crib in Texas, spied on an elderly woman in Canada and pranked ex-lovers by controlling their thermostats from anywhere around the globe.
Fortunately, as progress in IoT use advances, related security firms such as Dojo-Labs (a start-up), Trustwave, Cybersponse and others, can up security for connected home enthusiasts. For one, Apple, which launched its smart home offering—Home Kit—in 2014, is requiring home automation devices makers to incorporate special firmware and chips to beef up user privacy, but seeing it could cost more financially, manufacturers are reluctant to do so.
However, the best way to protect your home from hackers is to ensure you’ve assigned each device its own unique and strong password and username. This way, if anyone falls prey to rogue hackers play, others are not affected, and it becomes much easier to curb adverse outcomes.
See recommended smart home devices on Amazon
Nest Learning Thermostat
Philips Hue Starter Kit