For Deral Heiland, hacking into smart home devices and other IoT devices is not just a hobby, but his job. Heiland, the principal security researcher at Boston-based cybersecurity firm Rapid7, specializes in finding vulnerabilities in IoT and smart home devices and alerting the vendor that the product has an issue that could allow a hacker to perform some malicious action.
It’s common in the cybersecurity industry to poke fun at smart home IoT devices, with some labeling them as the “Internet of Threats” rather than “Internet of Things” due to their inherent cybersecurity issues. Others say, “the ‘S’ in IoT stands for security,” which is of course a tongue-in-cheek way of saying there is no security in devices like smart speakers, security systems, cameras, smart locks and more that populate smart homes and modern offices.
However, Heiland takes a somewhat different approach than others in his field, as the cybersecurity expert and ethical hacker calls smart home technology “kind of amazing,” albeit a technology that needs the help of cybersecurity experts like himself. Several times a year, he will take a swing at hacking into consumer-level IoT devices, typically ones that are installed in connected homes.
“What I’m trying to determine is: Are there vulnerabilities? Can we help solve those vulnerabilities? Or am I seeing a move toward improved security?” Heiland posits.
Cybersecurity Issues with Smart Home Devices
Among the cybersecurity issues he has found in these smart home devices are insecure APIs that reveal sensitive user information and glaring vulnerabilities in home security systems. In one such system, for example, all that was required to access the system and disarm it was the homeowner’s email address.
Full control is the “worst-case scenario,” but it’s actually information leakage that is the more common security vulnerability in IoT systems, Heiland says, pointing to one case in which he hacked into connected lighting systems to access a lot of information about the homeowner.
As with many other computer systems, it is often compromised credentials that give attackers access to the device. With many consumers using the same password across multiple accounts and systems, all it takes is one, Heiland says.
“The problem is, if one of these things gets compromised because of some failure within the cloud’s APIs, which is a very common vector, I may get access to passwords and account information that go across the gamut,” Heiland says.
Another part of the problem is the security vulnerability disclosure and patching policies of these manufacturers. The U.S. National Institute of Standards and Technology (NIST) maintains the Common Vulnerabilities and Exposures (CVE) program, which identifies vulnerabilities in technology products.
In many cases, these vulnerabilities (identified by a security researcher and disclosed to the vendor or identified by the vendor itself) are published along with a patch from the vendor in a practice that is typical of the cybersecurity community.
In other cases, CVEs are exploited by hackers, forcing the vendor to issue a patch to prevent further exploitation. In the smart home industry, several major vendors — many of which are familiar to residential system integrators — have disclosed vulnerabilities in their products.
However, the publishing of vulnerabilities is not fully indicative of a problem, as the more responsible companies operate with transparency and issue a patch along with the disclosure. The bigger issue is when manufacturers don’t take swift action to correct security bugs disclosed to them, or if they don’t take any action at all.
“Even if it was a simple vulnerability, that’s an indication of how that company is going to handle things,” Heiland says. “And to me, that is the most, the biggest key indicator on a company’s reliability when it comes to security.”
Larger manufacturers with brand names to protect likely do have vulnerability disclosure programs or bug bounty programs in which they pay ethical hackers for finding security issues with their product.
Professional-grade residential technology companies such as Samsung, LG, Google, Amazon, Snap One, Crestron and many others run vulnerability disclosure programs, but some other prominent manufacturers in the smart home industry do not have information about their cybersecurity practices visible on their public-facing website.
Resources to Evaluate & Shore Up Vulnerabilities Available
There are publicly available tools that hackers use to search for devices connected to the Internet, such as Shodan IO. Dan Fulmer, principal of Florida-based integrator FulTech Solutions and a CTA board member, says he has used the tool to see just how insecure smart devices are.
In many cases, default passwords for cameras aren’t changed, so accessing those cameras once you have an IP address and the default username and password is as easy as logging into any other account. However, attackers now automate much of this malicious activity.
“The bots do this automatically, inject stuff into these devices, and as soon as they find the hole, they’re going tunneling through the holes in your network to find the device they need to get into,” Fulmer explains.
While many of the poor cybersecurity security practices are attributed to some of the more DIY smart home devices and systems, Fulmer says even some of the bigger names in home technology such as Google, Apple, Microsoft, and Amazon have their own issues, being big targets of hackers because of their popularity and ubiquity.
On the flipside, the lower-end providers of DIY systems who are routinely cited as having poor cybersecurity practices are also targets due to those issues, Fulmer says, adding that he has seen researchers hack into one well-known DIY smart home security brand’s system in under 2 minutes.
However, brands familiar to many residential integrators like Crestron and others are in the middle ground, Fulmer says. They are not gigantic targets that some Big Tech brands are, but they also have established cybersecurity programs that respond to vulnerability disclosures and issue patches.
In addition, manufacturers that sell equipment to the federal government are required to have a robust cybersecurity program in place, Fulmer says.
Fulmer, who has a degree in computer science in engineering, helped the CTA to develop the Connected Home Security Checklist Tool, based on the organization’s Device Security Best Practices white paper, which details security protocols for installing and configuring products to help protect consumers and their smart home devices from unwanted malware or hackers.
According to Fulmer, the resources are designed for integrators to make sure they’re following best practices, which can protect them from liability if their clients’ home networks are compromised.
In addition to helping integrators secure their clients’ smart device infrastructure, the whitepaper and checklist can also help educate the homeowner on cybersecurity issues and prevent them from introducing insecure devices to their home networks. In turn, this leads consumers to putting more trust in the integrator and the higher-end solutions they are installing.
“You don’t want Johnny coming home and plugging in his new gaming system,” Fulmer says. “Don’t go buy a nanny cam and just plug it in.”
Moving Towards Greater Smart Home Cybersecurity as Awareness of Issues Builds
As more devices become connected to the internet, the overall trend is moving towards more security. However, those moves aren’t happening fast enough, as far as the White House is concerned. The Biden Administration is launching a cybersecurity certification program for smart home and IoT devices, which will affix product packages with the Cyber Trust Mark that ensures the buyer that the product meets a baseline of cybersecurity standards.
A project of the Federal Communications Commission, the program would see a QR code linking to a national registry of certified devices placed on product packages. The QR code link will also show the privacy and security features of the product, including how it uses audio and video information, multifactor authentication capabilities, how security updates are deployed, and more.
Speaking at a press briefing were officials and experts that CE Pro readers know well, including leaders from the CTA, Connectivity Standards Alliance, UL Solutions, Amazon, Google, Samsung, Logitech, LG and more. In prepared statements, Michael Bergman, vice president of tech and standards at CTA, says the growing number of connected devices are creating new opportunities for bad actors to exploit.
The CTA, producers of the annual CES, has worked with NIST for the better part of a decade to develop a voluntary national cybersecurity labeling program, which Bergman says created the foundation for the new U.S. Cyber Trust Mark.
“Our manufacturer and retail members are excited about the voluntary label program and are ready to sell certification-ready products once the FCC adopts final rules. Many are with us today to display their products and show their commitment to secure devices,” Bergman says, referencing LG, Samsung, Logitech, Google, Amazon and other manufacturers with representatives present at the briefing.
The presence of many leading smart home manufacturers signifies that the industry is ready and willing to build more security into smart home systems, which Heiland says seems to be catching on among the larger brand names.
“You’re also seeing companies that have a brand name to protect, being a little more proactive,” Heiland says. “They’re not waiting for vulnerabilities to show up. They’re actually hiring companies like Rapid7 who does pen testing on IoT products to actually look at that particular product.”
The program was widely received as a positive development in IoT security, with cybersecurity firms praising the Administration for taking the step.
BlackBerry, formerly known for smartphones but now focuses on cybersecurity, says a recent survey found that Gen Z and Millennials are much more aware of IoT security issues (80% and 86%, respectively), suggesting a cybersecurity star rating would make them feel safer when using Internet-connected devices.
In addition, almost half (42%) of Millennial and Gen Z buyers (44%) have IoT devices not connected to the Internet due to security concerns, according to BlackBerry’s study.
Nearly 70% of Millennials would pay more for a device labelled as secure through a star system, and 75% of Gen Z buyers would also pay more, the survey takers indicate. However, only 55% of Baby Boomers and 44% of those older would pay more for the same guidance.
In an email statement, Christine Gadsby, vice president of product security at BlackBerry, says smart devices such as thermostats, security cameras, doorbells and more can serve as backdoors for hackers looking to get into a home network.
“Without understanding the level of cybersecurity baked into these products, we may unintentionally allow strangers to shatter our sense of security and violate the sanctity of our homes,” Gadsby says. “So it’s no surprise four-in-five consumers surveyed by BlackBerry believe the rollout of a cybersecurity labeling system would make them feel safer and more informed when using Internet-connected devices, and two-thirds would be prepared to pay more for products with higher rankings.”
Real Cases of Smart Home/IoT Hacking
One of the most public cases of lagging security in smart home devices is Ring, which was recently charged by the Federal Trade Commission with compromising its customers’ practice by allowing employees or contractors to access cameras and videos and by failing to implement basic privacy and security protections.
According to the FTC, Ring failed to implement standard security measures to protect consumers’ information from two well-known online threats — “credential stuffing” and “brute force” attacks — despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts.
In a brute force attack, a bad actor uses an automated process of password guessing — for example, by cycling through breached credentials or entering well-known passwords — hundreds or thousands of times to gain access to an account.
Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics — such as multifactor authentication — until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.
As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint.
Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers — including elderly individuals and children — whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.
However, it’s not just surveillance and spying that attracts hackers to smart home and IoT devices, as these devices help more sophisticated attackers working on behalf of a nation state to cover their tracks.
Cybersecurity firm Mandiant, now a Google subsidiary, says this kind of technique is popular among Chinese cyber espionage operators who use botnets of compromised IoT devices, smart devices and routers to disguise their external traffic between command-and-control infrastructure and victim environments.
In a recent blog, Mandiant says small office and home office (SOHO) routers (including many brands known to residential integrators), as well as IP cameras and recording devices are popular for this tactic.
Other cybersecurity firms, like Rapid7, research vulnerabilities in IoT devices. In another example, Claroty, a provider of IoT cybersecurity solutions, says its researchers have found nearly 500 vulnerabilities in IoT and smart devices, many of which are manufactured by popular residential smart technology vendors.
In addition, a simple keyword search on the MITRE Corporation’s CVE database for “smart home,” “home automation,” or any other home technology term, as well as the manufacturer’s name, will yield dozens of officially disclosed vulnerabilities.
According to cybersecurity experts like Heiland, finding smart home devices and systems that are connected to the internet and vulnerable isn’t all that hard. At one recent conference, he met someone who was concerned about his home energy management system being hacked. Using Rapid7 tools, Heiland found “hundreds and hundreds” of those devices exposed to the internet.
For third-party service providers like Integrators that have remote management access to these systems for their clients, securing that access should be a priority, Heiland says.
“So, you started thinking about these systems and management of the systems across the board,” he says. “How is it being done? Are they exposing these things to the Internet? How do you reduce that level of exposure, so isn’t directly connected to the Internet? Those things need to be considered on these remote management solutions.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!