/ Technology

Can you trust smart tech?

Fraud data theft

A new Which? investigation has revealed the potential security flaws in smart home tech. Luke Potter, Cybersecurity Director of SureCloud, and his colleagues teamed up with Which? to put this tech to the test. Luke joins us as a guest author to explain more…

I head up the cybersecurity practice at SureCloud and work with clients on their penetration testing and vulnerability management requirements, but I’m also a consumer. I buy products for my home and expect them to be well designed and secure.

Sadly, with many smart, or Internet of Things (IoT), products hitting the market, we’ve found that this isn’t always the case.

Smart home security

SureCloud was invited by Which? to investigate the security of IoT devices. Which? set up a real home of one of its employees with various smart gadgets – from a wireless camera, to a wi-fi coffee machine and smart toy. We then performed what is known as a ‘red-team’ engagement, essentially a simulated attack using techniques a hacker or cybercriminal might employ.

Which? only provided us with the name of its employee. Our team then set about identifying as much information as they could from online research.

Within a few hours, we had their home address, family and partner details, full employment history, corporate and personal email addresses, and an array of credentials that they’ve used online, including social media websites.

We also successfully ‘phished’ the target to further obtain user account credentials and access to their online life. It’s amazing what you can glean from just what we all share freely online.

Home hacking

Following the information gathering exercise, the next step was to visit the target’s property and perform reconnaissance from outside the house. Our attacks ranged from very basic and opportunistic approaches, to actually taking apart the sample devices to find exploits.

One attack vector involved fully compromising a smart coffee machine to flood it with boiling water. In another, we breached a smart toy so we could listen to all conversations within the home, and even speak through the toy remotely.

But sometimes, a low-tech approach gets results too – for example, we were able to place an order for items using the target’s Amazon Echo by simply shouting through a window.

When Amazon was approached for comment on this, it said:

‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a ‘yes’ response to purchase via voice. If you asked Alexa to order something on accident, simply say ‘no’ when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free return.’

Staying safe online

For consumers, there are a few key takeaways. Most critical is that you should always ensure that for every single system and service that you use, set a completely unique password. To help you remember them all, a ‘password manager’ tool can be a great way to make this process extremely simple and easy to manage.

Additionally, ensure that when you purchase IoT devices that you set them up fully, including changing passwords and not leaving them in their default state.

Finally, just like you’d install updates on your phone or laptop, IoT devices need to be updated, too. Ensure you apply these as soon as possible so that your security is always up to date.

Do you have IoT gadgets in your home? Or are you considering buying some? If so, how important is it to you that they keep your network secure and protect your privacy?

This is a guest contribution by Luke Potter, Cybersecurity Practice Director at SureCloud. All views expressed here are Luke’s own and not necessarily also shared by Which? or SureCloud.

Comments

This comment was removed at the request of the user

Ian says:
23 June 2017

Can you trust smart tech?

Simple answer… NO.

There is a companion article in the July issue of the Which? magazine.

The first security problem mentioned is routers and today a problem with routers is in the news: http://www.bbc.co.uk/news/technology-40382877

This comment was removed at the request of the user

Thanks Duncan. I understand what you are talking about, which is not always the case on tech matters. I’ve had a lot to do with firewalls, IP addresses, DNS and ports, albeit mainly on Mac systems. When I get back from holiday I plan to do some work on my computers and look at security issues. It’s a very long time since I’ve been near CNET.

not everyone reads Which many people ignore any advice they are given they think they know it all you can try to help but many are beyond help They know nothing about security at all expecting others to do everything for them including keeping them safe and secure they do not care until it happens then they are the first to complain as loudly as they can To some no Tech should go wrong it cannot go wrong

This comment was removed at the request of the user

Don’t understand a thing you are saying Plain simple English please

This comment was removed at the request of the user

This comment was removed at the request of the user

I think it should be illegal to require prospective customers to provide information that is not both relevant and necessary for fulfilment of the transaction. If they need to carry out further checks that should be done after registration. That way people could decide not to proceed without leaving much more than their name, address, phone number, and e-mail address all of which are easily accessible anyway. It is an unfortunate consequence of doing things the internet way; avoiding use of the internet is becoming increasingly difficult as bricks-&-mortar businesses stop trading. One company I have bought from occasionally over many years has decided to stop sending out a printed catalogue; since they don’t have my e-mail address they have lost a ‘valued customer’. It will be interesting to see whether I have heard the last from them or whether they will wake up in a few months’ time and wonder why they are getting fewer orders. Firms that trade on impulse buying should think long and hard before they cut off their customer contacts.

Scots Don says:
8 July 2017

The SureCloud Hack: Can we put this hack into perspective? The SureCloud team spent 4 days in all, camped in someone’s drive, or in a passage outside their flat, or in another adjacent flat, or parked in the road outside their house (it doesn’t say where). In my case. it would have to be my drive and I might spot them maybe. They hacked the person’s wi-fi finally – doesn’t say how long. This was probably achieved by a brute force attack (chuck millions of passwords at the router), requiring a bit of computer equipment. OK, so when they finally crack the password, they can do all sorts of damage. BUT is this at all likely? Where I live, not a chance.

I understand that the real danger is Port Forwarding. This is where you take a brick out of your firewall, to let messages from OUTSIDE your home (the Wild West – well, the open internet) get through to a specific device, such as a security camera. This lets the owner view the camera from the other side of the world. The device has a password, and if this if left to the default, Bingo! A hacker can get in via the open port to the camera, view what the camera sees, and, worse, re-program the camera so it can do all sorts of harm on the owner’s network. The hacker doesn’t have to put a tent up in your garden, they can be in Australia if they want.

In my own case, I have a security camera, and also other devices that I want to use when away. I do not use port forwarding. My router’s port forwarding is turned OFF. So no gap in my firewall exists that way. My router allows an incoming VPN (Virtual Private Network) , which is effectively an encrypted route into my home network from the open internet. Note that many routers allow an outgoing VPN connection, so that you can talk to your office network for example, but fewer allow an incoming VPN, one reason being that you need to know your home’s IP address before using it, and most IP addresses are dynamic, set by your ISP, so you don’t necessarily know it when away. My router manufacturer provides a DDNS service (Dynamic Domain Name System) which I use when away to get onto my home network. This is all username/password protected and simple to use. Once connected, it is like using the computer at home on the Local Area Network, so the camera can be viewed as well as any other attached devices.

This method seems to me to be very much safer than Port Forwarding.

However, I would be interested to hear what other vulnerabilities I should look out for!

This comment was removed at the request of the user

Scots Don says:
10 July 2017

Duncan, scary stuff. But if I have port forwarding switched OFF in my router, will that not stop any port forwarding attacks?

I do keep an eye on what processes are running on my PC, though whether I would recognise a malicious one. I’m not sure. I don’t have LogMein, but I do have TightVNC Viewer, to remotely access a Raspberry Pi.

I keep my camera powered off when not needed!

Basically, I work on the principle of keeping my front and back doors closed, in my router. I rely on the router to not let remote messages get through. Maybe I have misplaced faith.

This comment was removed at the request of the user

I’ve just bought an Amazon Alexa. I wanted a new toy to play with. That’s not to say I’m not cautious of a. potential security holes. b. the benefits.

At the moment I plan to use it for music, ordering an uber, telling me the morning news, reading out recipes etc.

Hopefully no one in my building shouts out an Amazon order through the window…