The Internet of Things (IoT) devices, especially smart home devices, are built to get things done conveniently and to some extent, these devices have been playing a major role in our lives.
At the same time, these smart devices are also home to critical security vulnerabilities.
Recently, the IT security researchers at the Ben-Gurion University of the Negev (BGU) have discovered that it is even easier to hack smart home devices than previously thought and these devices include home security cameras, baby monitors, thermostats, and doorbells.
That’s not all, once compromised, attackers can also use these devices to spy on homeowners.
While testing vulnerabilities in off-the-shelf smart home devices researchers were able to find their passwords within 30 minutes while credentials for some were identified by simple searching about the targeted brand on Google.
According to Dr. Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand.”
While stating the vulnerabilities in smart home devices, researchers also emphasized on the threats they pose to unsuspecting users such as how these devices can be taken over by hackers, cybercriminals, pedophiles and other malicious elements to spy on daily activities of users.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” added Dr. Oren.
The most upsetting aspect of the research is that while there were several ways to compromise these devices, most of them had default passwords available on the Internet and buyers are never advised to change default credentials.
“Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely,” noted Dr. Oren and his team.
Moreover, researchers were also able to login to entire Wi-Fi networks simply by retrieving the password stored in a device to gain network access.
These findings shouldn’t come as a surprise since there is a history of IoT devices, especially security cameras, being compromised by hackers and used for conducting DDoS attacks or scare users by deliberately making creepy noises.
In another study, Bitdefender IoT research team had even found Internet-connected plugs vulnerable to cyber attacks while in another incident hackers used a smart coffee machine to infect computers with ransomware.
In Ben-Gurion University’s test, however, Dr. Oren said that “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
The researchers advised that users should refrain from buying used IoT devices as they can already be infected with malware, only buy these devices from known vendors, change their default credentials to strong ones, research about the product online before buying it and don’t share its password with others.
“We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices,” says Yael Mathov, who participated in the project.