Most smart home devices have weak security by design. Generally speaking:

  • Consumers don’t want to pay the premium for good security
  • Consumers don’t want to deal with the complexities that come with good security
  • Consumers don’t want to deal with tracking updated versions of software for their devices nor do most have the technical competence to install new releases.
  • Most manufacturers don’t support any automated mechanisms for updating software in their devices after they ship.
  • Many manufacturers bringing smart products to market have no experience in security
  • Manufacturers are all about getting their products to market sooner, and including good security takes time

In the News

Continued IoT Adoption and WFH Bring Heightened Risk

IoT attacks are on the rise, with malware targeting IoT devices up 50% from the prior year. The bulk of these attacks were against consumer devices and, with more people working from home for the foreseeable future, the risks are high. We’ve already seen some discomforting IoT hacks ranging from smart home systems to baby monitors, but expect hackers to increasingly target consumers’ connected devices in an attempt to infiltrate corporate networks. With so many people working from home, security teams need to be concerned about your Ring doorbell as well as your company-issued laptop.
All 11 doorbells we tested demonstrated high-risk security issues

11 smart doorbells purchased from online marketplaces have failed Which? security tests, in the latest example of smart products that could pose a risk to you and your home.
Ken Munro shows us how insecure Internet of Things products are and how easy it is to hack them. The big question is: how can we use these products in a safe way? Ken Munro is a specialist in ethical hacking. He is able to hack everything – from hotel keycards, to a range of IoT devices, from wearable tech to children’s toys and smart home control systems. This talk was given at a TEDx event using the TED conference format but independently organized by a local community.
Many people use advanced IoT gadgets such as smart TV, smart security cameras, smart thermostats, smart locks, and much more to make their homes intelligent and modern.

Though these devices make our lives easier and more comfortable, they can become a gateway for major security threats. Every device that is based on the internet is always a potential risk of cyber threats such as hacking. That is why you must always be ready for the worst-case and protect your IoT devices from getting intruded.
  1. Consider disconnecting your camera from the internet
  2. Do your homework before buying
  3. What to keep in mind when buying a camera
  4. Check if your camera has an admin password — and change it
  5. Stay educated about cybersecurity
Some footage has already appeared on adult sites, with cybercriminals offering lifetime access to the entire loot for US$150

A hacker collective claims to have breached over 50,000 home security cameras before going on to steal people’s private footage and post some of it online. While a considerable portion of the videos seems to have come from Singapore, a number of people living in Thailand, South Korea, and Canada also seem to have their privacy invaded.
  • The agency and the police advise users to take precautions to protect themselves
  • Consumers can look out for the recently-launched Cybersecurity Labelling Scheme to identify products with stronger security features
  • One expert noted that open hacking tools can be easily downloaded on the internet
Comcast Corporation (NASDAQ: CMCSA) acknowledged that the Xfinity voice-activated remote had a major security flaw that could allow drive-by-hackers to record and listen clearly to consumers’ private conversations in their homes.
Our homes now double as our offices. Eavesdropping on those homes is as likely to compromise secrets belonging to our employers as private chats or activities between family members. According to Microsoft, “the first half of 2020 saw an approximate 35% increase in total [IoT] attack volume compared to the second half of 2019.”
When the user tried to connect the coffee machine to their home network, the machine would immediately turn on the burner, let loose hot water, continually spin the bean grinder and display a ransom message while beeping. The only way to make this whole mess stop would be to unplug the device, rendering it unusable.
"The development of unmanned security drones presents a whole new wave of cyber security risks," said David Emm, principal security researcher at Kaspersky. "If hacked, this smart technology could provide cybercriminals with a complete map of an individual's home – including the location of valuable items and possible access points to the house."
With the introduction of more and more IOT and embedded devices in the market, hackers are starting to find firmware exploitation as a more viable mechanism for gaining access into networks and taking over machines. Many of these devices don’t include security mechanisms out of the box, can contain backdoors that provide easy shells, or contain a number of other vulnerabilities that can make them an easy point of entry into any network.
A vast majority of IoT hardware in homes and offices is vulnerable to attacks that allow devices to be easily taken over and manipulated for malicious purposes.

... claimed he was able to gain complete root level access, including the ability to re-flash firmware, on 10 out of 12 devices he tested. Most were cracked in less than five minutes, he said. The products he tested included home routers, switches, card access readers, and other commonly installed Internet-connected devices.
“Most Enterprise video surveillance systems are vulnerable to hackers. According to our studies, more than half of companies and organizations, both large and small, do not take sufficient precautions when it comes to preventing their security cameras from being hacked. Be it ignorance or just careless approach to security of their network in general, the results of hacking can be disastrous,” says Chris Ciabarra, the CTO and co-founder of Athena Security.
IoT attacks increased by 900% in 2019. So, why are hackers increasingly targeting IoT devices? There are several explanations:

  • Lack of security software on the devices: Opposed to regular computers, IoT devices do not have a firewall or virus scanner.
  • Less experienced device producers: The businesses usually come from the industry vertical and often are lacking the IT security expertise of server/computer manufacturers.
  • Multiple devices with the same security mechanisms: Once an attack works with one device it will work with thousands.
  • IoT devices are out of reach: device owners deploy their machines remotely. Often an owner won’t realize that the devices have been compromised until it is too late. Once an attacker has control over a device, it could run all day long before being physically shut down by the owner.
As IoT looks to become a foundational aspect of our everyday lives, it’s vital we, as consumers, understand the threats posed to our devices and the data they store.
A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers. The flaw was discovered by IBM's X-Force Red hacking team and affects Cinterion EHS8 M2M modules built by French manufacturer Thales. EHS8 modules are built for industrial IoT machines that operate in factories, the energy sector, and medical roles, and are designed to create secure communication channels over 3G and 4G networks.
A number of vulnerabilities have been revealed in Amazon's Alexa, highlighting the need for providers of smart home platforms, such as Apple's HomeKit, to maintain security as part of the service
The security hole that Bitdefender found in the August Smart Lock Pro + Connect won’t let a hacker open your front door, but it could give a very patient one full access to your Wi-Fi network.
After we get our Internet connection installed, we forget about the router, keeping it in a corner of the room and never thinking about it. Well, in this day and age privacy is the most important thing while browsing the Internet.
Researchers working for a cybersecurity firm found several vulnerabilities within a common router. They shared their findings to the router’s manufacturer six months ago and have yet to hear back.

The vulnerabilities include a cross-site request forgery which can be used to reboot the router remotely, a cross-site scripting request which can be used to execute Javascript, an open Telnet service that can be accessed by anyone online, and remote code execution —which can also be used to add JavaScript or bash script.
The healthcare sector is the most affected by a group of 19 critical vulnerabilities known as Ripple20, found in over 52,000 medical device models and with remote code execution possibilities.

July 06, 2020 - Healthcare is the sector most impacted by a group of 19 critical vulnerabilities known as Ripple20, found in the TCP/IP communication stack of hundreds of millions of IoT and connected devices. The impact of which is currently unknown, given the flaws are found in embedded software and web components.
As we’ve reported on occasion, the rush to evolve the smart home has some unintended consequences. Privacy and security are paramount for security cameras, highlighted by Ring’s hacking woes last year. With smart appliances, the concern around hacks center on safety.
“The risks inherent in this situation are high,” the researchers explain. “Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.”
As far as patches go for your individual devices, security researchers say “Don’t hold your breath.” Patches can take some time to develop, and because so many devices are affected, the people behind the Callstranger website anticipate it will be a while before all your devices are certified safe.
A novel approach to hacking can allow cybercriminals to exploit biometric identifiers such as voices and faces along with device identifiers to steal information and pinpoint a user's location, it was revealed in a study.
Ring home security systems promise “Smart security here, there, everywhere,” and their products are indeed appearing all over. The company sold nearly 400,000 devices online last December, a 180% surge from the year before.

But while customers buy the tools to feel safer, they may be inadvertently introducing security vulnerabilities into their homes. In a well-documented incident, one digital intruder, claiming to be Santa Claus, terrified a Mississippi couple’s 8-year-old daughter, calling her racial slurs through the bedroom camera’s built-in speaker.

Furthermore, many of today’s IoT devices are always on, always watching and listening, in our most private spaces at home and at work. Smart devices, such as thermostats, speakers and wearables, seem to recede into the background, but their passivity belies the potential threat. Contrary to reassurances, researchers showed they could trick Amazon’s Alexa smart speakers into eavesdropping on users.
As the adoption of the internet of things (IoT) grows, so do legitimate security concerns about this technology. In 2018, Kaspersky honeypots identified 105 million attacks targeting smart devices.
  • Home devices eavesdropping on and manipulating people
  • Smart home hacking
  • What IoT Developers Can Do To Mitigate Risks
  • What IoT Users Can Do To Protect Themselves
  • What Governments Can Do To Protect Citizens And Critical Infrastructure
  • Hackers can take advantage of a smartphone's voice assistant by sending silent commands to the phone through a waveform generator.
  • By talking with the voice assistant, bad actors can gain access to, say, your text messages, which may contain two-factor authentication codes for your other accounts.
  • To protect yourself from this form of attack, make sure your voice assistant is password-protected or disabled from the lock screen.
“And the more information you put out there with these different companies, the more likely it is that this data is going to be breached,” said Mike. Privacy and security, it turns out, are primarily the responsibility of the consumer.

That means it’s up to us to make sure our high-tech favorites like camera devices, speakers and GPS trackers are turned off if we don’t want them to be accessed.
Security vulnerabilities in a brand of Internet of Things connected vacuum cleaner could allow hackers to gain access to devices, send commands and even monitor live video feeds recorded by the in-built cameras, according to security company researchers.
Threats to IoT Devices
  • Botnets
  • Identity and Data Theft
  • Ransomware
A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.
This, among other cases, demonstrates how creative online criminals can get when it comes to extracting money from people. Not only are they hacking devices that allow them to spy on innocent consumers, but they also demand payments in form of cryptocurrency, which are much more difficult to track than traditional money.
It is quite possible that you received an internet of things (IoT) device as a holiday gift, and it’s very likely that you will find this holiday gift useful. But it’s also possible you received an additional gift you have no use for at all: security vulnerabilities. This is the inconvenient truth about the average IoT device — like all technologies, it has flaws and it can add to your risk profile.
Supposedly smart connected home locks can be exploited to allow hackers to pick the device with ease, researchers have claimed.
It's not so much being watched. It's that I don't really know if I'm being watched or not.
  • Casinos Hacked Via Thermometer in an Aquarium
  • The Spying Blond Doll
  • The Jeep Security Hack
  • Home Thermostats Security Hack
As the holiday season approaches, a number of flaws have been identified in popular internet of things (IoT) devices, prompting renewed warnings over consumer security, with millions of people set to find some kind of smart device under the tree.
The author of this piece attributes many common security defects in IoT devices to the re-use of reference designs, 3rd party web-based services, and use of shady off-shore vendors.
Smart home devices are supposed to increase convenience and security, but Marketplace reveals they could actually be making your home, your family and your data more vulnerable, and putting your privacy at risk.
Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.
Prosvetova found this vulnerability when she bought one such smart feeder for her pet. She then noticed that the device available on AliExpress for around $80 had a serious glitch in the API that could allow her to view and access all other Xiaomi FurryTail feeders around the world. Specifically, she found 10,950 devices vulnerable to hacks.
In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.
A father Googled “Nest + camera + hacked” and found out that this happens frequently
Voice-activated assistants, smart TVs and app-controlled locks and light systems promise convenience. They can also enable stalking.
Using Wi-Fi extenders? Security researchers from IBM have found a critical loophole with TP-link extenders that could be leaving you exposed, so you know, it’s time to get your patch on.
The attack was reported by security researchers from Imperva, who claims that a few months ago, hackers utilized a massive botnet, containing over 400,000 IoT devices
The regular Hackaday reader no longer needs to be reminded about how popular the ESP8266 is; they see the evidence of that several times a day. But what might not be quite so obvious is that it isn’t just us hacker types that are in love with the inexpensive IoT microcontroller, it’s also popping up more and more frequently in commercial products.
Researchers from Pen Test Partners have found a way to set fire via a smart device. This time, they have experimented with the Glamoriser smart hair straightener. As reported, an adversary can break into the device mechanism and take control of the product.
Hackers operating underground are seen arming themselves for an attack on Internet of Things (IoT) devices as they see a proliferation of connected gadgets, both at homes and in the organisations in the near future.
Further, video streams of webcams are also being sold by these criminals on the dark web. The most expensive webcam streams were found to be bedrooms, massage parlors, warehouses, and payment desks at retail shops. “These video streams are often categorized thematically and sold as subscriptions.” the report added.
In a bone-chilling incident, a couple in the US was left stunned when a hacker broke into their connected home and started talking to them via camera, played vulgar music on the video system in the living room and even turned thermostat to 90 degrees Fahrenheit (over 32 degrees Celsius).
The unemployed high-school dropout who hacked nearly one million Internet routers, DVRs, and video cameras didn’t look particularly formidable in his pajamas.
Believe me, there are over 100 ways a hacker can ruin your life just by compromising your wireless router—a device that controls the traffic between your local network and the Internet, threatening the security and privacy of a wide range of wireless devices, from computers and phones to IP Cameras, smart TVs and connected appliances.
The mere thought of being spied on at home is terrifying but is far from being just paranoia in light of recent discoveries. The study carried out by WizCase concluded that several types of webcams, including IP Cameras, are vulnerable to hijacking and viewable by anyone with internet access and the right knowledge.
A simple project to study compromised security cameras drew a trio of researchers deep into an investigation of the security risks of today’s connected devices.
IoT is in no way immune to hacking. Hackers can launch DDoS attacks by infiltrating and leveraging thousands or millions of unsecured devices. They can cripple infrastructure, down networks, and as IoT advances into our everyday lives, those attacks may very well put real human lives in jeopardy. And even if hackers don’t outright threaten lives, they can compromise gateways and deeper levels of IoT networks in order to reveal and exploit sensitive personal and corporate information.
Does your refrigerator notice more than that you’re out of milk? Could your floor-cleaning robot be taking candid photos of your ankles? Is Alexa eavesdropping? Although smartphone security is everyone’s buzzword these days, hacking devices in the smart home could breach your personal security too. Being aware of vulnerabilities and staying current with security technology keeps your home a secure and private personal space.
Modern households are at greater risk of cyber-attack thanks to the growth of Internet of Things (IoT) devices.
China Targets Control Over Internet of Things for Spying, Business

China is aggressively seeking to dominate the Internet of Things and plans to use access to billions of networked electronic devices for intelligence-gathering, sabotage, and business purposes, according to a forthcoming congressional report.
We built a fake web toaster, and it was compromised in an hour.