Most smart home devices have weak security by design. Generally speaking:

  • Consumers don’t want to pay the premium for good security
  • Consumers don’t want to deal with the complexities that come with good security
  • Consumers don’t want to deal with tracking updated versions of software for their devices nor do most have the technical competence to install new releases.
  • Most manufacturers don’t support any automated mechanisms for updating software in their devices after they ship.
  • Many manufacturers bringing smart products to market have no experience in security
  • Manufacturers are all about getting their products to market sooner, and including good security takes time

In the News

Researchers working for a cybersecurity firm found several vulnerabilities within a common router. They shared their findings to the router’s manufacturer six months ago and have yet to hear back.

The vulnerabilities include a cross-site request forgery which can be used to reboot the router remotely, a cross-site scripting request which can be used to execute Javascript, an open Telnet service that can be accessed by anyone online, and remote code execution —which can also be used to add JavaScript or bash script.
The healthcare sector is the most affected by a group of 19 critical vulnerabilities known as Ripple20, found in over 52,000 medical device models and with remote code execution possibilities.

July 06, 2020 - Healthcare is the sector most impacted by a group of 19 critical vulnerabilities known as Ripple20, found in the TCP/IP communication stack of hundreds of millions of IoT and connected devices. The impact of which is currently unknown, given the flaws are found in embedded software and web components.
As we’ve reported on occasion, the rush to evolve the smart home has some unintended consequences. Privacy and security are paramount for security cameras, highlighted by Ring’s hacking woes last year. With smart appliances, the concern around hacks center on safety.
“The risks inherent in this situation are high,” the researchers explain. “Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.”
As far as patches go for your individual devices, security researchers say “Don’t hold your breath.” Patches can take some time to develop, and because so many devices are affected, the people behind the Callstranger website anticipate it will be a while before all your devices are certified safe.
A novel approach to hacking can allow cybercriminals to exploit biometric identifiers such as voices and faces along with device identifiers to steal information and pinpoint a user's location, it was revealed in a study.
Ring home security systems promise “Smart security here, there, everywhere,” and their products are indeed appearing all over. The company sold nearly 400,000 devices online last December, a 180% surge from the year before.

But while customers buy the tools to feel safer, they may be inadvertently introducing security vulnerabilities into their homes. In a well-documented incident, one digital intruder, claiming to be Santa Claus, terrified a Mississippi couple’s 8-year-old daughter, calling her racial slurs through the bedroom camera’s built-in speaker.

Furthermore, many of today’s IoT devices are always on, always watching and listening, in our most private spaces at home and at work. Smart devices, such as thermostats, speakers and wearables, seem to recede into the background, but their passivity belies the potential threat. Contrary to reassurances, researchers showed they could trick Amazon’s Alexa smart speakers into eavesdropping on users.
As the adoption of the internet of things (IoT) grows, so do legitimate security concerns about this technology. In 2018, Kaspersky honeypots identified 105 million attacks targeting smart devices.
  • Home devices eavesdropping on and manipulating people
  • Smart home hacking
  • What IoT Developers Can Do To Mitigate Risks
  • What IoT Users Can Do To Protect Themselves
  • What Governments Can Do To Protect Citizens And Critical Infrastructure
  • Hackers can take advantage of a smartphone's voice assistant by sending silent commands to the phone through a waveform generator.
  • By talking with the voice assistant, bad actors can gain access to, say, your text messages, which may contain two-factor authentication codes for your other accounts.
  • To protect yourself from this form of attack, make sure your voice assistant is password-protected or disabled from the lock screen.
“And the more information you put out there with these different companies, the more likely it is that this data is going to be breached,” said Mike. Privacy and security, it turns out, are primarily the responsibility of the consumer.

That means it’s up to us to make sure our high-tech favorites like camera devices, speakers and GPS trackers are turned off if we don’t want them to be accessed.
Security vulnerabilities in a brand of Internet of Things connected vacuum cleaner could allow hackers to gain access to devices, send commands and even monitor live video feeds recorded by the in-built cameras, according to security company researchers.
Threats to IoT Devices
  • Botnets
  • Identity and Data Theft
  • Ransomware
A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.
This, among other cases, demonstrates how creative online criminals can get when it comes to extracting money from people. Not only are they hacking devices that allow them to spy on innocent consumers, but they also demand payments in form of cryptocurrency, which are much more difficult to track than traditional money.
It is quite possible that you received an internet of things (IoT) device as a holiday gift, and it’s very likely that you will find this holiday gift useful. But it’s also possible you received an additional gift you have no use for at all: security vulnerabilities. This is the inconvenient truth about the average IoT device — like all technologies, it has flaws and it can add to your risk profile.
Supposedly smart connected home locks can be exploited to allow hackers to pick the device with ease, researchers have claimed.
It's not so much being watched. It's that I don't really know if I'm being watched or not.
  • Casinos Hacked Via Thermometer in an Aquarium
  • The Spying Blond Doll
  • The Jeep Security Hack
  • Home Thermostats Security Hack
As the holiday season approaches, a number of flaws have been identified in popular internet of things (IoT) devices, prompting renewed warnings over consumer security, with millions of people set to find some kind of smart device under the tree.
The author of this piece attributes many common security defects in IoT devices to the re-use of reference designs, 3rd party web-based services, and use of shady off-shore vendors.
Smart home devices are supposed to increase convenience and security, but Marketplace reveals they could actually be making your home, your family and your data more vulnerable, and putting your privacy at risk.
Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.
Prosvetova found this vulnerability when she bought one such smart feeder for her pet. She then noticed that the device available on AliExpress for around $80 had a serious glitch in the API that could allow her to view and access all other Xiaomi FurryTail feeders around the world. Specifically, she found 10,950 devices vulnerable to hacks.
In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.
A father Googled “Nest + camera + hacked” and found out that this happens frequently
Voice-activated assistants, smart TVs and app-controlled locks and light systems promise convenience. They can also enable stalking.
Using Wi-Fi extenders? Security researchers from IBM have found a critical loophole with TP-link extenders that could be leaving you exposed, so you know, it’s time to get your patch on.
The attack was reported by security researchers from Imperva, who claims that a few months ago, hackers utilized a massive botnet, containing over 400,000 IoT devices
The regular Hackaday reader no longer needs to be reminded about how popular the ESP8266 is; they see the evidence of that several times a day. But what might not be quite so obvious is that it isn’t just us hacker types that are in love with the inexpensive IoT microcontroller, it’s also popping up more and more frequently in commercial products.
Researchers from Pen Test Partners have found a way to set fire via a smart device. This time, they have experimented with the Glamoriser smart hair straightener. As reported, an adversary can break into the device mechanism and take control of the product.
Hackers operating underground are seen arming themselves for an attack on Internet of Things (IoT) devices as they see a proliferation of connected gadgets, both at homes and in the organisations in the near future.
Further, video streams of webcams are also being sold by these criminals on the dark web. The most expensive webcam streams were found to be bedrooms, massage parlors, warehouses, and payment desks at retail shops. “These video streams are often categorized thematically and sold as subscriptions.” the report added.
In a bone-chilling incident, a couple in the US was left stunned when a hacker broke into their connected home and started talking to them via camera, played vulgar music on the video system in the living room and even turned thermostat to 90 degrees Fahrenheit (over 32 degrees Celsius).
The unemployed high-school dropout who hacked nearly one million Internet routers, DVRs, and video cameras didn’t look particularly formidable in his pajamas.
Believe me, there are over 100 ways a hacker can ruin your life just by compromising your wireless router—a device that controls the traffic between your local network and the Internet, threatening the security and privacy of a wide range of wireless devices, from computers and phones to IP Cameras, smart TVs and connected appliances.
The mere thought of being spied on at home is terrifying but is far from being just paranoia in light of recent discoveries. The study carried out by WizCase concluded that several types of webcams, including IP Cameras, are vulnerable to hijacking and viewable by anyone with internet access and the right knowledge.
A simple project to study compromised security cameras drew a trio of researchers deep into an investigation of the security risks of today’s connected devices.
IoT is in no way immune to hacking. Hackers can launch DDoS attacks by infiltrating and leveraging thousands or millions of unsecured devices. They can cripple infrastructure, down networks, and as IoT advances into our everyday lives, those attacks may very well put real human lives in jeopardy. And even if hackers don’t outright threaten lives, they can compromise gateways and deeper levels of IoT networks in order to reveal and exploit sensitive personal and corporate information.
Does your refrigerator notice more than that you’re out of milk? Could your floor-cleaning robot be taking candid photos of your ankles? Is Alexa eavesdropping? Although smartphone security is everyone’s buzzword these days, hacking devices in the smart home could breach your personal security too. Being aware of vulnerabilities and staying current with security technology keeps your home a secure and private personal space.
Modern households are at greater risk of cyber-attack thanks to the growth of Internet of Things (IoT) devices.
China Targets Control Over Internet of Things for Spying, Business

China is aggressively seeking to dominate the Internet of Things and plans to use access to billions of networked electronic devices for intelligence-gathering, sabotage, and business purposes, according to a forthcoming congressional report.
We built a fake web toaster, and it was compromised in an hour.