12 Internet of Things hacks, and why you need to lock down your smart home in 2019

Alistair Charlton

and

Dec. 05, 2018 01:12PM EST

Computers and smartphones aren't the only gadgets in our lives in danger of getting hacked. Smart home security cameras, children's toys and even our routers, the device that takes us on the internet, are all vulnerable. However, that doesn't seem to be deterring people from buying connected devices.

We like these smart speakers, robot vacuums and video doorbells so much, that the smart home market is expected to hit $53.6 billion by 2022 (up from $24.1 billion in 2016), according to insurance company Assurant.

As we bring more connected products into our home in the coming new year, it's helpful to take steps to protect smart home devices from online attackers, the best that we can. Here are some famous hacks — and what consumers can do to try and thwart these attacks.

Nothing worse than having your heat shut off during cold winter months, yet that's what happened to residents of an apartment building in Finland. A DDoS (distributed denial-of-service) attack over the internet, affected the automated system that controlled hot water, heat and more to the buildings, reported Motherboard.
The building's manager fixed the problem by disconnecting the system from the internet, then re-launching it. While most people think of DDoS attacks hitting large companies and city-wide infrastructures, as they're more widely used they could start impacting people at home, as the Finnish residents found. A virtual private network, or VPN, can help you hide your IP address, and route traffic, including a potential DDoS attack, to the VPN's IP address instead of yours.
▲

Researchers found security vulnerabilities in a doll that let children ask questions, and answer back. When prompted, the doll, My Friend Cayla, would respond by connecting to online servers to bring up answers — much different than recorded answers typically found in toys. Germany actually banned the toy, so concerned about its spying potential.
More than one-quarter (27 percent) of U.S. consumers already own more than three smart home devices, according to research firm GfK. As we bring more into our homes, it's important to keep tabs on who is tapping into those devices, to make sure their acting as they should. A robust firewall, like Cujo, which works in tandem with routers, can help to monitor traffic to the connected devices in our home.
▲

Smart vacuum cleaner Diqee turned out to be able to hoover more than the dust on your floor, according to security researchers who discovered the device could be remotely controlled by hackers, and the night vision camera on board turned on without someone at home knowing.
Hackers would have need physical access to the robot vacuum to get access to the camera. But remote access — moving it around at will — was obtained by entering in the default password and admin name. Changing the passwords that come with devices when you buy them is an easy first step to thwarting attacks. And if you have a lot of them, a password manager can help keep track so you're not using the same one every time.
▲

Surveillance cameras are meant to keep an eye on areas where people physically get to all the time. Only the people who install the cameras are supposed to have control over what's captured. In the case of internet-connected Trendnet cameras, the images were open to attacks which could transmit video feeds of people at home, wrote Wired.
Changing passwords from factory default settings, and then creating a robust passwords, are certainly good steps to helping to prevent unwanted visitors from tunneling in to your IoT products, like smart security cameras, at home.
▲

Sometimes an attack is bigger than a single smart device, and instead turns millions of them into mindless zombies all answering to one command. That's what happened with smart devices infected with Mirai, a malware code that spread to security cameras and other IoT gadgets.
Stopping malware code from getting into a smart device is tricky, but again changing passwords from default settings is a great first step, as well as making sure you're using a router and firewall. Also unplugging a device, and plugging it back in so it can reboot, can sometimes clear it of a malicious code like Mirai. But if the device is connected to the internet and unprotected, it's likely to get infected again.
▲

We all know about the Amazon Echo that recorded a couple at home in Oregon, and sent the conversation to a friend. That's not ideal. But security hackers actually found a way to turn the Echo into a spyware device, listening without people knowing. Amazon fixed this security flaw quickly, and the hack required that a modified Echo gain access to the same network used by other Echos in a home. Someone could gift a modified Echo maliciously to someone, and have the install it in their house.
Hacks like these are much more difficult as they require some physical proximity and access to other devices. Still, password protection is a good move here, and not just at the device level but at the router level. Consumers can also consider creating guest access Wi-Fi passwords for visitors who visit their homes, which can be routinely changed then when people leave.
▲

We all know about the Amazon Echo that recorded a couple at home in Oregon, and sent the conversation to a friend. That's not ideal. But security hackers actually found a way to turn the Echo into a spyware device, listening without people knowing. Amazon fixed this security flaw quickly, and the hack required that a modified Echo gain access to the same network used by other Echos in a home. Someone could gift a modified Echo maliciously to someone, and have the install it in their house.
Hacks like these are much more difficult as they require some physical proximity and access to other devices. Still, password protection is a good move here, and not just at the device level but at the router level. Consumers can also consider creating guest access Wi-Fi passwords for visitors who visit their homes, which can be routinely changed then when people leave.
▲

It may sound like a plot from an Ocean's Eleven reboot, but in April this year a vulnerability discovered in the thermostat of a casino fish tank gave jackers access to its high-roller database. The offending piece of supposedly smart tech was used to regulate water temperature of an aquarium installed in the lobby. But its internet connection - the same connection casino staff probably thought was a useful feature when installing the thermostat - presented hackers with an open pathway to the business's servers.
Internet of Things (IoT) devices like this thermostat tend to have relatively poor security compared to other web-connected devices like your smartphone and laptop. Their makers don't always expect seemingly uninteresting devices to fall into hacker's crosshairs, but when hooked up to a network shared by more valuable devices (like servers), they become an easy target.
To help protect your network against these sorts of attacks - whether that network is at home or a part of your business - you should consider a router built especially to protect IoT devices. The CUJO, for example, acts as a firewall to keep your IoT devices protected by attaching to your existing router, while D-Link partnered with McAfee to product the AC2600, a router with IoT and smart home security in mind.
▲

It may sound like a plot from an Ocean's Eleven reboot, but in April this year a vulnerability discovered in the thermostat of a casino fish tank gave jackers access to its high-roller database. The offending piece of supposedly smart tech was used to regulate water temperature of an aquarium installed in the lobby. But its internet connection - the same connection casino staff probably thought was a useful feature when installing the thermostat - presented hackers with an open pathway to the business's servers.
Internet of Things (IoT) devices like this thermostat tend to have relatively poor security compared to other web-connected devices like your smartphone and laptop. Their makers don't always expect seemingly uninteresting devices to fall into hacker's crosshairs, but when hooked up to a network shared by more valuable devices (like servers), they become an easy target.
To help protect your network against these sorts of attacks - whether that network is at home or a part of your business - you should consider a router built especially to protect IoT devices. The CUJO, for example, acts as a firewall to keep your IoT devices protected by attaching to your existing router, while D-Link partnered with McAfee to product the AC2600, a router with IoT and smart home security in mind.
▲

A Bluetooth connection and smartphone app can be used to control most IoT and smart home devices, making their operating fast, simple and convenient. Unfortunately, when the Bluetooth-equipped Vaultek gun safe launched in late-2017, security researchers were able to unlock it without knowing the PIN.
They found how unlimited PIN guesses could be made, and because the PIN could only be between four and eight digits long - and consist only of the numbers one to five - a conservative seven seconds per try would see the safe unlocked in a maximum of 72 minutes.
This is via a so-called brute force account, where a computer is used to quickly guess PIN combinations over and over until the correct one is found and the safe unlocks. A software update was issued before the vulnerability could be exploited by malicious hackers, instead of well-meaning security researchers.
This highlights just how important it is to keep your IoT and smart home devices up-to-date, and to only use devices which can be given a strong password. If a software update for your smart door lock arrives, for example, you shouldn't put off installing it for weeks, because that could leave your lock (and therefore your entire home) vulnerable to attack.
▲

Earlier in 2018, security researcher Craig Young discovered that the Google Home smart speaker and Chromecast media streaming device would give away their precise location to whoever asked, via a malicious link.
Young found that, if the link was opened by the intended target, the precise location of any Google Home or Chromecast on the same Wi-Fi network would be revealed to the sender of the link. This meant the sender could discover the target's exact street address, leading to the potential for robbery, or more location-based hacking.
Knowing the target's exact address could make phishing and extortion attacks appear more realistic, cybersecurity expert Brian Krebs said at the time. Thankfully, a software update was released by Google this summer, which again shows how it is important to keep your devices up-to-date.
Young suggested this kind of attack can be prevented, or at least mitigated against, by connecting your smart home and IoT devices to a different Wi-Fi network to that used by your laptop.
▲

Earlier in 2018, security researcher Craig Young discovered that the Google Home smart speaker and Chromecast media streaming device would give away their precise location to whoever asked, via a malicious link.
Young found that, if the link was opened by the intended target, the precise location of any Google Home or Chromecast on the same Wi-Fi network would be revealed to the sender of the link. This meant the sender could discover the target's exact street address, leading to the potential for robbery, or more location-based hacking.
Knowing the target's exact address could make phishing and extortion attacks appear more realistic, cybersecurity expert Brian Krebs said at the time. Thankfully, a software update was released by Google this summer, which again shows how it is important to keep your devices up-to-date.
Young suggested this kind of attack can be prevented, or at least mitigated against, by connecting your smart home and IoT devices to a different Wi-Fi network to that used by your laptop.
▲

In the summer of 2018, a padlock which uses fingerprints instead of a key or passcode was found to be vulnerable to attack. Produced by a Canadian firm called Tapplock, the device is claimed to be the world's first smart fingerprint padlock, but security researcher Andrew Tierney from Pen Test Partners found it could be unlocked in under two seconds - without any fingerprint.
Tierney found that the lock's use of Bluetooth Low Energy, a technology found in a wide range of IoT and smart home devices, was its weakness. This because the lock could be opened with nothing more than its own Bluetooth Low Energy MAC address - which it happens to constantly broadcast.
The researcher then created an Android application which would broadcast the MAC address, allowing him to unlock any Tapplock he approached, in less than two seconds. Tierney described the lack of security as "completely unacceptable," adding: "To be honest, I am lost for words".
As with other incidents like this, Tapplock responded by issuing a software update to improve its lacklustre security. Again, this demonstrates the importance of keeping your IoT devices updated, but also serves as a warning that, no matter how secure a fingerprint system may be, poor design will mean doors are left open elsewhere - in this case, with how the lock's Bluetooth system operates, and even its physical toughness.
▲

The CloudPets range of soft toys let children record message and have them play back, as if spoken by the toy. These could be messages recorded by the children themselves, or by their parents via a smartphone app. It was then found in early 2017 that every recording was stored online, and that these recordings were unprotected.
It was also found by security researcher Troy Hunt how the recordings had been accessed multiple times by unauthorized parties, and the data had even been held for ransom before Spiral Toys addressed the issue. Context Information Security, another specialist firm, found hackers could remotely instruct the toy record whenever they wanted, turning it into a spying device.
This is another example of a manufacturer producing a 'smart' and connected product, without properly securing the data it collects and fully understanding the consequences. Parents are urged to pay close attention to how any connected toys work, keep their software up-to-date, and use strong passwords at every step. But, ultimately they must ask themselves if such a product - capable of recording and connected to the internet - is really suitable for their children at all.
▲

Finally, the infamous Jeep hacking incident of 2015 saw security researchers demonstrate how they could remotely take control of the infotainment, climate, and driving systems of a Jeep Cherokee.
Hackers Charlie Miller and Chris Valasek demonstrated how they could remotely take control of the car's stereo, windshield wipers, climate system, and even the transmission, cutting the power of a moving car with the press of a keyboard key, then putting images of themselves on the dashboard display.
This demonstration was performed with a willing journalist behind the wheel, and since the hackers made their discoveries Fiat Chrysler fixed the vulnerabilities. But with cars becoming ever more connected and autonomous, the need for manufacturers to make cyber security a top priority is more pressing than ever.
Car hacking can be mitigated against by changing the default passwords of its web-connected services, and ensuring the key fob cannot be hijacked when parked up at night - an increasingly common form of theft - preventing hackers from gaining physical access to the vehicle and its computer systems.
▲

▲

From Your Site Articles