For all intents and purposes, it’s an excellent time to be a hacker.
While five years ago the only way to make money off of illicit access to data was by funneling personalized health information or credit card numbers through back-channel and black market deals, the rise of ransomware provides a self-sufficient cottage industry for the entrepreneurial data thief. But not to worry, say the growing number of at-home Internet of Things devices that seek to control everything from the lights to the heater; the future of the smart home is coming along as smoothly as can be, right?
Wrong.
A new report from Bitdefender explains something that most tech consumers already know (that their smart thermometers, light switches and device hubs aren’t as secure as they could be) but in a way that might not be common knowledge. In an in-depth breakdown of the security measures of four popular consumer IoT products — the WeMo Switch, the Lifx Bulb, the GE LinkHub and the Muzo Cobblestone — the software security company found that hackers often don’t have to do much hacking at all to turn IoT devices into ransomware bricks.
In some cases, like for the WeMo Switch, standard password protection security is done in by the fact that the device’s smartphone-based controller communicates without authentication and in plain text. While the password in question is encrypted, Bitdefender called the 128-bit AES algorithm used to secure it “easily breakable.” Indeed, the company’s researchers were able to reverse engineer the password and log into the switch, whereby they could control the ominously phrased “various tasks.”
In other cases, security vulnerabilities in smart home products can compromise an entire house’s Wi-Fi network. Upon initial installation, the Muzo Cobblestone’s Wi-Fi audio receiver creates a hotspot, and users are then prompted to enter the login credentials of their home network. However, this hotspot remains active after installation is completed, and while the option to protect access with a password is available, no such prompt alerts users to the flaw or the fix.
As if that wasn’t enough, the Muzo device comes installed with Telnet remote access software, and Bitdefender was able to use brute-force password searches to see that the credentials to access the Telnet service were never changed by the manufacturer and remained at the default “admin/admin.”
And if that wasn’t enough, Bitdefender actually notified all four manufacturers of the devices in question as soon as it found the vulnerabilities. After waiting 30 days to publish the report, Muzo was the only device to receive any kind of fix, and it was only to halt the indefinite operation of the login hotspot.
As more and more companies try to beat each other to market with increasingly advanced smart home devices, the time-consuming process of quality testing security measures will most likely continue to fall by the wayside. After all, there’s nothing inherently costly for manufacturers about loosely secured smart thermostats and light switches.
However, there is an incontrovertible threat to the consumers who buy them. Reuters recently outlined how the rise of ransomware has led hackers to refine their techniques to an almost professional level of nefariousness. They ask for sums their targets can pay, they offer informative FAQs decorated with studio-quality graphics and they have call-in centers that can walk ransomees through the process of gaining access back to their data.
But with entire homes hooked up to the Net, data won’t be the only thing consumers are desperate to get back. When loosely guarded smart devices control everything in a home, from the heat to the lights to the locks on the front door, how much are hackers going to ask for before going on their merry ways? How much will consumers be willing to pay?