Off-the-shelf smart devices that include baby monitors, home security cameras, doorbells, and thermostats can be easily hacked according researchers at Israel’s Ben-Gurion University of the Negev (BGU).
As part of their ongoing research into detecting vulnerabilities in devices and networks expanding in the smart home and Internet of Things (IoT), the BGU researchers disassembled and reverse engineered many common devices and quickly uncovered serious security issues.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” says Dr Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
According to the researchers there are several ways hackers can take advantage of poorly secured devices. Similar products under different brands often share the same common default passwords. Consumers and businesses rarely change device passwords when purchased so they could be operating infected with malicious code for years.
“It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” says Omer Shwartz, a PhD student and member of Dr Oren’s lab. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
In order to keep your home secure researchers recommend buying IoT devices only from reputable manufacturers and vendors, avoiding buying used devices, and changing default passwords when installing. Passwords should have a minimum of 16 characters to make them hard to crack and multiple devices shouldn’t share the same passwords. Software updates should be applied regularly. It’s also recommended that you fully consider the benefits and risks of connecting any device to the internet.
The full research paper is available on the BGU website.