Kaspersky Lab researchers have discovered serious threats to the connected home. These include a coffeemaker that exposes the homeowner's WiFi password, a baby video monitor that can be controlled by a malicious third-party, and a smartphone-controlled home security system that can be fooled with a magnet.
In 2014, Kaspersky Lab security expert David Jacoby looked around his living-room, and decided to investigate how susceptible the devices he owned were to a cyber attack. He discovered almost all of them were vulnerable.
Following this, in 2015 a team of Kaspersky Lab anti-malware experts repeated the experiment with one difference: while Jacoby's research concentrated mostly on network-attached servers, routers and smart TVs, this latest research was focused on the various connected devices available on the smart home market.
Under investigation
The devices selected for the experiment were a USB-dongle for video streaming, a smartphone-controlled IP camera, a smartphone-controlled coffee maker, and a smartphone-controlled home security system. The investigation discovered almost all of these devices contained vulnerabilities.
A baby-monitor camera in the experiment allowed a hacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed hackers to collect owner passwords and the experiment showed it was also possible for a hacker on the same network to retrieve the root password from the camera and maliciously modify the camera's firmware.
When it comes to app-controlled coffeemakers, it's not even necessary for an attacker to be on the same network as the victim, says Kaspersky Lab. The coffeemaker examined during the experiment was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner's entire WiFi network.
When looking at a smartphone-controlled home security system, Kaspersky Lab researchers found the system's software had only minor issues and was secure enough to resist a cyber attack. Instead, a vulnerability was found in one of the sensors used by the system.
The contact sensor, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. When the door or window is opened, the magnetic field disappears, causing the sensor to send alarm messages to the system. However, if the magnetic field remains in place, no alarm will be sent, Kaspersky Lab says.
Alarmingly easy
During the home security system experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window. This meant they could open and close a window without setting off the alarm. The big problem with this vulnerability is that it is impossible to fix it with a software update; the issue is in the design of the home security system itself, the researchers say.
What's more concerning is that magnetic field sensor-based devices are a common type of sensor, used by a multiple home security systems on the market, they add.
"Our experiment, reassuringly, has shown vendors are considering cyber security as they develop their IOT [Internet of things] devices," says Victor Alyushin, security researcher at Kaspersky Lab.
"Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues - even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners."
In order to help users protect their lives and loved ones from the risks of vulnerable smart home IOT devices, Kaspersky Lab says before buying any IOT device, users must search the Internet for news of any vulnerabilities within that device.
The security solutions vendor notes it is not always a great idea to buy the most recent products released on the market, adding the best advice is to buy products that have already experienced several software updates.
Share