/ Technology

Can you trust smart tech?

Fraud data theft

A new Which? investigation has revealed the potential security flaws in smart home tech. Luke Potter, Cybersecurity Director of SureCloud, and his colleagues teamed up with Which? to put this tech to the test. Luke joins us as a guest author to explain more…

I head up the cybersecurity practice at SureCloud and work with clients on their penetration testing and vulnerability management requirements, but I’m also a consumer. I buy products for my home and expect them to be well designed and secure.

Sadly, with many smart, or Internet of Things (IoT), products hitting the market, we’ve found that this isn’t always the case.

Smart home security

SureCloud was invited by Which? to investigate the security of IoT devices. Which? set up a real home of one of its employees with various smart gadgets – from a wireless camera, to a wi-fi coffee machine and smart toy. We then performed what is known as a ‘red-team’ engagement, essentially a simulated attack using techniques a hacker or cybercriminal might employ.

Which? only provided us with the name of its employee. Our team then set about identifying as much information as they could from online research.

Within a few hours, we had their home address, family and partner details, full employment history, corporate and personal email addresses, and an array of credentials that they’ve used online, including social media websites.

We also successfully ‘phished’ the target to further obtain user account credentials and access to their online life. It’s amazing what you can glean from just what we all share freely online.

Home hacking

Following the information gathering exercise, the next step was to visit the target’s property and perform reconnaissance from outside the house. Our attacks ranged from very basic and opportunistic approaches, to actually taking apart the sample devices to find exploits.

One attack vector involved fully compromising a smart coffee machine to flood it with boiling water. In another, we breached a smart toy so we could listen to all conversations within the home, and even speak through the toy remotely.

But sometimes, a low-tech approach gets results too – for example, we were able to place an order for items using the target’s Amazon Echo by simply shouting through a window.

When Amazon was approached for comment on this, it said:

‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a ‘yes’ response to purchase via voice. If you asked Alexa to order something on accident, simply say ‘no’ when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free return.’

Staying safe online

For consumers, there are a few key takeaways. Most critical is that you should always ensure that for every single system and service that you use, set a completely unique password. To help you remember them all, a ‘password manager’ tool can be a great way to make this process extremely simple and easy to manage.

Additionally, ensure that when you purchase IoT devices that you set them up fully, including changing passwords and not leaving them in their default state.

Finally, just like you’d install updates on your phone or laptop, IoT devices need to be updated, too. Ensure you apply these as soon as possible so that your security is always up to date.

Do you have IoT gadgets in your home? Or are you considering buying some? If so, how important is it to you that they keep your network secure and protect your privacy?

This is a guest contribution by Luke Potter, Cybersecurity Practice Director at SureCloud. All views expressed here are Luke’s own and not necessarily also shared by Which? or SureCloud.

Comments
Member

Can you trust high tech ?? as the well known ex American tennis player/commentator repeatedly said to wide acclaim at Wimbledon—You CANT !!! be Serious !! If anybody has been following my perpetual posts on Which on this issue in every variation over the past year or two then if you trust the IoT-Cloud Storage then big companies no ;longer need the old subliminal messaging you used to get in cinemas in this country “making ” you buy lemonade/ice cream etc. NEVER-NEVER trust the Digital World every part of it is hacked in 5 minutes , every second YOUR Data is transmitted back to “headquarters ” by your computer , if its a Windows machine , every minute your printer “talks ” to its makers , your camera can be turned on ,your mike as well , its now been admitted every device you have can be used against you , there is even the latest case of your router if it is a well known American make sending data back to hackers ( change you default password ) its big news in the States million compromised . Why do you think I keep saying all three big countries national security services -UK/US/Israel are recruiting high tech employees , I have all the adverts for all three , because they are more intelligent than a lot of the staff they have now, America for example will even forgive good hackers who hack high security organisations if they go to work for them and I think the same applies here. I hope now with this convo the TRUTH will no longer be hidden by big business and government because of financial/commercial interest and that they will be honest with the British public.

Member
Ian says:
23 June 2017

Can you trust smart tech?

Simple answer… NO.

Member

There is a companion article in the July issue of the Which? magazine.

The first security problem mentioned is routers and today a problem with routers is in the news: http://www.bbc.co.uk/news/technology-40382877

Member

Interesting Wavechange , I dont watch the BBC news for reasons I wont go into here but I changed my router password a year or two ago as it was news way beck then but on tech websites . Linksys /Netgear etc in the USA were hacked by the millions . If you are hacked by a hacker and not the CIA then your DNS setting will be changed to a malicious IP address , you should check this out . Its easy to check on the web what your IP address is but I have Wireshark installed you can then see all the traffic /packets that flow from your computer , there are apps that will block IP addresses /ports . An absolutely Marvelous app of USA origin that uses Windows firewall , that I used when I had Windows in addition to a paid for protection is Glasswire it has a coloured moving graph showing ALL the traffic in and out of your computer as well as the ability to block any or all data sent illegally . The problem is , as you would suspect , MS hate it and cause the software designers all sorts of problems , even though the website is pro Windows , I am a member but they haven’t made it compatible with Linux although its now compatible with Mac computers . Wavechange , its that good I am recommending it , if you can install it ,there is a free version and two paid for versions, in the time I have been on Which this is only the third app I have ever recommended , it really is genuine. ONLY download it from the makers website NOT CNET etc.

Member

Thanks Duncan. I understand what you are talking about, which is not always the case on tech matters. I’ve had a lot to do with firewalls, IP addresses, DNS and ports, albeit mainly on Mac systems. When I get back from holiday I plan to do some work on my computers and look at security issues. It’s a very long time since I’ve been near CNET.

Member
bishbut says:
24 June 2017

not everyone reads Which many people ignore any advice they are given they think they know it all you can try to help but many are beyond help They know nothing about security at all expecting others to do everything for them including keeping them safe and secure they do not care until it happens then they are the first to complain as loudly as they can To some no Tech should go wrong it cannot go wrong

Member

Very profound Bishbut, it sounds like its taken from the Book of Laws of the Digital Age relating to the Social Interaction of the Human Species to a perceived “God LIke ” quality of the Word handed down from “Above ” , never thinking for a moment that this “Word ” was written not by a “god ” but by flawed Humans who are “Lesser Gods ” . It is the Automaton Effect of a religious transference of Spiritual Power from the infallible “God ” to the Fallible Human god of the BIT noted in a natural gathering together -as in I Robot -the Movie, of people in the supposed believe a common thought pattern will “Protect ” them . This is generated at an early age by indoctrination of everything “Digital ” being superior to the human race when in actual fact it is vastly inferior as admitted by those at the top in software design. Book of Laws- section one- Law number Three. This is more profound than you think its already been admitted read “the Thinkers Update “– the Dawning of the Digital Age, : http://www.intersperience.com/article_more.asp?art_id=46 and has been taken up by Big Advertising to good effect (see told you ) , if its human related , profit is involved.

Member
bishbut says:
25 June 2017

Don’t understand a thing you are saying Plain simple English please