You may have seen the recent story in the news about a two-year-old girl who was verbally harassed through the nanny camera in her bedroom. It was reported that a stranger broke into the nanny camera and took control of the device. This is an example of how an insecure “smart” home technology let a stranger into someone’s home. And, unfortunately, it’s not the only problematic technology out there.
I recently purchased and reviewed several of these smart home technologies, technologies that allow you to remotely control and automate almost anything in your home such as door locks, garage openers, televisions, thermostats and even a toilet. While these technologies are exciting (who ever thought we could control the locks on our doors with a click of a mouse?), if the security of these devices is not taken more seriously, we will continue to see strangers invading our privacy and maybe even physically breaking into our homes.
When reviewing these technologies, I found many of them were pretty easy to hack; most of the products were found to have serious flaws after only a few hours of research. Among the products I researched was a device called the VeraLite. It allows you to control a number of different appliances in your home including door locks, surveillance cameras, alarm systems, and carbon monoxide sensors. While you can set a password on the device, it still lacks protection because there’s an alternate method for controlling the device that does not require a username and password. As long as you can get on the home network (which any competent hacker will tell you isn’t hard to do), you can control whatever is connected to the VeraLite, including the lock on your front door.
A common trend I noticed while researching these “smart” home technologies is that many of them don’t require any kind of username or password, a flaw that allows even an unskilled attacker to take control of a device in a shorter amount of time than it takes you to read this sentence. For the technologies that do require a username and password, users will typically choose weak passwords, ones that are easily guessable such as “Password1.” If a device doesn’t force a user to choose a username and password when setting up the device, users will often accept the defaults. For example, I recently reviewed an internet-connected camera that came with an easily guessed default username of “admin” and password of “123456.” Anyone who knows the model of the camera can discover its default username and password with a quick web search and take control of it.
The benefits of these technologies should not be overlooked. They make our lives easier by enabling us to control devices in our home from anywhere in the world. If you forget to close the garage door or leave a key for your neighbour to come in and let the dog out, you can immediately fix the situation using your smartphone or laptop. If you want to turn up the heat after hearing about an approaching cold front, you can control your thermostat from anywhere. These kinds of conveniences are helpful and will continue to be in-demand; however, before we jump on the smart home bandwagon, we must consider the security vulnerabilities that come with it.
Help from the hackers
As things stand now, we must rely on hackers, whether they are hobbyists or professionals, to review these technologies and make vendors and customers aware of the issues. While most people think of hackers as criminals, hacking is a discipline that can be used to achieve various goals. It’s true that for some people, the goal is to become rich through fraud, cause havoc, or spy on and shout obscenities at children. However, there are many hackers whose goal is to improve the security of the systems we use every day and keep people safe. These kinds of hackers, known as ethical or white hat hackers, are people working to find vulnerabilities in order to make the general public safer.
First and foremost, companies that produce these kinds of technologies need to involve security in the process of developing and testing their products. Before putting the “smart” home products on the shelves, they should appoint ethical hackers, either internally or externally, to test the products for security vulnerabilities. At home, users must set strong, hard-to-guess passwords. One good way to ensure you’re using strong passwords is to use a password manager which will generate strong passwords for you. Users should also weigh the risk of using these products against the benefits. What are you risking by connecting this technology to the internet? What may happen if an outsider gets control of it? Is it a matter of an outsider being able to flush my toilet or is it giving the world the ability to watch my toddler as she sleeps?
When you connect a technology of any sort to the internet, there is the potential for it to be hacked. If we’re going to put our homes on the internet, security must be a part of that process.