Many off-the-shelf IoT devices require no effort to hack, study shows
Image credit: Dreamstime
Researchers at Ben Gurion University of the Negev, Israel, have demonstrated that it was easy to hack into smart consumer products – such as smart baby monitors and cameras – using a simple Google search to find their passwords.
Cyber-security researchers at the university have dedicated years of research to detecting vulnerabilities of these devices and networks, which are slowly creeping their way into consumers’ homes as connected components of the Internet of Things (IoT).
In their most recent study, the researchers disassembled and reverse engineered a number of off-the-shelf consumer products, and discovered gaping security flaws.
“It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices,” said Professor Yossi Oren, head of the Ben Gurion’s Implementation Security and Side-Channel Attacks Lab. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
According to the researchers, it took just half an hour to find passwords for most of the devices – including baby monitors, home security cameras, doorbells and thermostats – often through a simple Google search of the brand name.
They found that similar products under different brand names often share the same default passwords. Many manufacturers sell products with insecure built-in passwords, such as 0000, which consumers and businesses rarely get round to changing after purchase. This could result in a device operating at home for years while infected without the owner realising.
The researchers found that this vulnerability allowed them to log into private Wi-Fi networks by using the password stored within a connected device to access the network. Access to a single IoT device, the researchers warned, could allow a hacker to create “an entire network” of devices controlled remotely.
The researchers recommended that manufacturers must stop using weak, hard-coded passwords in their products, as well as disabling remote access capabilities and making it harder to harvest information from shared ports such as audio jacks, which have been demonstrated to be vulnerable.
“It seems getting IoT products to market at an attractive price is often more important than securing them properly,” said Professor Oren.
There are widespread concerns about the security of IoT devices, particularly due to the fear that hackers could cause tangible physical damage within a home using connected devices, rather than just within a computer. Congress been working on a bill to address security vulnerabilities in connected devices, and authorities in the US and EU have issued warnings about the privacy and security risks associated with smart toys for children.
“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges,” said Yael Mathov, who was involved in the study. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”