Author: Garrett Bell (Analyst, Security Consulting)
The idea of a “smart home,” a home filled with connected devices that conveniently streamline entertainment, security, lighting, and other functions, has grown in popularity in recent years evidenced by the growing number of connected devices in American households.
US households have approximately 22 connected devices on average, according to Deloitte’s 2022 Connectivity and Mobile Trends Survey, and with each new device comes the potential for a vulnerability.
While connected devices bring with them various benefits, the families and homeowners utilizing them may not be fully aware of associated privacy and security risks.
- Many Americans already have concerns regarding smart home devices; the Deloitte survey found that 52 percent of Americans expressed worry over smart home device vulnerabilities.
A major concern regarding smart home devices is whether the data collected from them will be used in ways users are comfortable with.
End users rarely read user agreements and privacy policies; however, they may be surprised to learn what they are implicitly agreeing to by using certain devices.
Home devices and apps needed for smart home device functionality, such as the Ring Doorbell App, may also send data to third-parties and/or contain third-party trackers.
- Privacy considerations may also relate to devices assembled in China and made by Chinese companies. For example, Hikvision, a Chinese company that makes Internet of Things (IoT) devices and video security systems, has had restrictions placed on its products over national security concerns.
Threat actors targeting smart home devices generally do so opportunistically, i.e., they search for vulnerable devices to target rather than specific individuals to target.
In rare instances, bad actors may be local, but those targeting IoT devices generally do so from afar as devices connected to the internet are largely discoverable through remote scans of IP addresses.
The Shodan search engine, for example, allows bad actors to discover vulnerable devices by broadly scanning the internet for connected devices.
This information is then used nefariously. For example, a Russian website contains live footage of oftentimes private IP-based camera feeds by targeting cameras that still use known default login credentials.
Smart home devices can have a myriad of exploitable vulnerabilities that can lead to bad actors hijacking, disabling, or using them to collect sensitive data and/or infect other devices.
Smart home devices come from a variety of manufacturers and are often rushed out without proper security measures and run on relatively simple hardware and software incapable of detecting complex attacks. Some of these devices may also be incapable of being updated to patch vulnerabilities.
Most smart home device compromises come from attackers gaining device and/or account credentials via phishing emails, prior data breaches, or from existing knowledge of default usernames and passwords.
This is particularly noteworthy for routers, arguably the most important home network device. A router compromise makes it relatively easy for a bad actor to connect to a WiFi network and carryout attacks.
Fortunately, there are steps individuals and families can take to secure their smart home devices. The following are general best practices for those wishing to do so:
- Put smart home devices on a separate WiFi network like a guest network;
- Routinely install software updates that include security patches on home devices, and purchase devices with automatic update installation options;
- Always change device and router passwords from their default, out-of-the box credentials such as “admin” or “password”;
- Enable multi-factor authentication on smart home devices; and
- Limit the types of smart home devices and ecosystems used to reduce the number of attack vectors available to bad actors.
In addition to the above recommendations, individuals and families may benefit from professional assistance and a complete audit of their home network, which spans beyond smart home devices. Cybersecurity is holistic and an audit with this approach in mind may identify overlapping concerns, such as compromised credentials on the dark web or specific issues with devices on a home network. Some may wholly oppose “smart home” tech due to security and privacy concerns as is their prerogative, but with the right precautions and safety measures, users of this tech can enjoy its benefits more comfortably.