Consumers who outfit their homes with home automation devices without considering security may be inviting hackers and thieves inside.
Repeatedly, studies have revealed that devices designed to automate the home have serious vulnerabilities. Many devices have weak password policies and do not protect against man-in-the-middle attacks, according to an HP survey of 10 off-the-shelf home security systems. Others do not prevent access to the device's debugging interface, which could allow easy hacking of the device, according to an April study by code-security firm Veracode. And, if an attacker is able to gain access to the device, almost all devices could be easily compromised and turned into a Trojan Horse, according to a study by security firm Synack. In fact, it only took between 5 and 20 minutes to find a way to compromise each device, once the researchers unpacked the hardware.
"These companies are really pushing to get a product to market to really compete in this Internet of things boom, but they don't have a security guy on their team, so there is a lot of small stuff being overlooked," says Colby Moore, a security research analyst for Synack. "The majority of companies are ignoring the basics."
By the end of the year, about 2.9 billion consumer devices will be connected to the Internet, according to market researcher Gartner. While the Apple Watch may be the best-known device among the Internet of Things menagerie, many of the "things" that you will connect in the future will be part of your home. Unfortunately, the rush to deliver home automation capabilities to users has resulted in poorly secured systems creating additional avenues of attack for online miscreants.
"It's hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn't mean cybersecurity should be sacrificed in the process," Brandon Creighton, Veracode's security research architect, said in a statement.
Security firm Synack, for example, tested cameras, thermostats, smoke detectors, and home-automation controllers, looking for security vulnerabilities. The company considered four scenarios that could impact consumers: An attacker breaks in and has two minutes with the home's devices, a thief steals a person's mobile phone, an eavesdropper in a cafe monitors the victim's Internet sessions, and a more advanced attacker manages to modify a home-automation device before a victim's purchases it.
Each device had security shortcomings. Consumers' desire to control their home from the smartphones, for example, means that losing the device can have some significant consequences for home security. In addition, so many products do not use encryption technology.
"I can't say that I was shocked, but it was pretty shocking," Moore says.
Sign up for Computerworld eNewsletters.