A new Which? investigation has revealed the potential security flaws in smart home tech. Luke Potter, Cybersecurity Director of SureCloud, and his colleagues teamed up with Which? to put this tech to the test. Luke joins us as a guest author to explain more…
I head up the cybersecurity practice at SureCloud and work with clients on their penetration testing and vulnerability management requirements, but I’m also a consumer. I buy products for my home and expect them to be well designed and secure.
Sadly, with many smart, or Internet of Things (IoT), products hitting the market, we’ve found that this isn’t always the case.
Smart home security
SureCloud was invited by Which? to investigate the security of IoT devices. Which? set up a real home of one of its employees with various smart gadgets – from a wireless camera, to a wi-fi coffee machine and smart toy. We then performed what is known as a ‘red-team’ engagement, essentially a simulated attack using techniques a hacker or cybercriminal might employ.
Which? only provided us with the name of its employee. Our team then set about identifying as much information as they could from online research.
Within a few hours, we had their home address, family and partner details, full employment history, corporate and personal email addresses, and an array of credentials that they’ve used online, including social media websites.
We also successfully ‘phished’ the target to further obtain user account credentials and access to their online life. It’s amazing what you can glean from just what we all share freely online.
Following the information gathering exercise, the next step was to visit the target’s property and perform reconnaissance from outside the house. Our attacks ranged from very basic and opportunistic approaches, to actually taking apart the sample devices to find exploits.
One attack vector involved fully compromising a smart coffee machine to flood it with boiling water. In another, we breached a smart toy so we could listen to all conversations within the home, and even speak through the toy remotely.
But sometimes, a low-tech approach gets results too – for example, we were able to place an order for items using the target’s Amazon Echo by simply shouting through a window.
When Amazon was approached for comment on this, it said:
‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a ‘yes’ response to purchase via voice. If you asked Alexa to order something on accident, simply say ‘no’ when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free return.’
Staying safe online
For consumers, there are a few key takeaways. Most critical is that you should always ensure that for every single system and service that you use, set a completely unique password. To help you remember them all, a ‘password manager’ tool can be a great way to make this process extremely simple and easy to manage.
Additionally, ensure that when you purchase IoT devices that you set them up fully, including changing passwords and not leaving them in their default state.
Finally, just like you’d install updates on your phone or laptop, IoT devices need to be updated, too. Ensure you apply these as soon as possible so that your security is always up to date.
Do you have IoT gadgets in your home? Or are you considering buying some? If so, how important is it to you that they keep your network secure and protect your privacy?
This is a guest contribution by Luke Potter, Cybersecurity Practice Director at SureCloud. All views expressed here are Luke’s own and not necessarily also shared by Which? or SureCloud.