Toothbrushes, beds, ovens, lightbulbs, toasters – if it exists in your home, a company somewhere will have put a chip in it. The idea of a smart home is very appealing – all your devices connected and controllable via an app – but many of the ‘smart’ devices you can hook up to your home network today are actually pretty dumb. Many have no security features at all – or even any means of updating their firmware. How do you patch a toaster?
With that in mind we asked two of the biggest names in home security, Avast and Bitdefender, what the risks are and what you can do to keep yourself safe.
“[The] matter of IoT security has become extremely pressing in the past couple of years, as the market has been flooded by a wide range of smart things that have made their way into homes,” Liviu Arsene, global cybersecurity researcher at Bitdefender, told TechRadar.
“However, while manufacturers have rushed into pushing smart capabilities into almost all household appliances and devices, security has taken a back seat. In fact, as security researchers have demonstrated on numerous occasions, a large percentage of internet-connected devices ranging from household appliances to implantable medical devices and industrial systems have been found lacking even the most basic security practices.”
It’s something we’ve seen ourselves. In 2017, TechRadar attended an event where security experts from Bitdefender demonstrated just how easy it is to take control of an IP camera running insecure firmware. The camera in question – a cheaply purchased one from an unknown manufacturer – was easily accessed remotely using a hard-coded admin password, giving the ‘attacker’ full control.
Many devices are shockingly exposed – master accounts often have both the username and password set to ‘admin’, and might be running open source software with known vulnerabilities. Patching is impossible – cheap devices often have no means of installing updates.
Why smart home security matters
But is that always so important? A camera can give criminals an unrestricted view of your home, but surely a connected coffee machine is harmless?
“What’s appealing about them is that they have internet connectivity and that they’re usually connected to the same network as other critical devices, such as smartphones, tablets, and desktop computers,” Arsene said. “This means that vulnerable IoTs that are connected to the internet can turn into gateways that attackers can use to remotely dial into infrastructures and potentially access other devices and information.”
Arsene notes that IoTs can also be used as weapons of mass disruption – as in the Mirai incident, where thousands of IP cameras were amassed into a botnet and used to perform a denial of service attack on one of the largest DNS service providers in the US – taking down services belonging to Fortune 500 companies. Even if it doesn’t pose a direct threat to you, an insecure smart home device can be weaponized.
Bitdefender’s London event marked the launch of the Bitdefender BOX (now in its second iteration) – an all-in-one router, hardware firewall and network manager that checks all the traffic on your home network and all the devices connected, and warns you at the first sign of suspicious activity.
Avast has now launched its own home security system – Avast Omni – a combination of hardware and software that works with your existing router. It's currently only available in the US, but will be rolling out more widely soon.
“When we went to design this product we had a set of design goals,” Gagan Singh, SVP and chief product officer at Avast Mobile, told TechRadar. “We wanted to essentially provide you with a single subscription to protect all your IoT devices in your home.
“The real meat of the product is really inside the network and inside software. The hardware is just an enabler to look at the traffic patterns and metadata of the traffic and the software analyses that and calls out anomalies in that traffic or devices that may be misbehaving. The hardware is an enabler for the software to make detections.”
What you can do
However, these systems aren’t the only way to protect your smart home, and the experts have some practical advice that you can start using today.
[One of] the most important things that people can do – and we often don’t , because the whole IoT [Internet of Things] landscape is so nascent – is that you have to go purchase IoT devices from reputable vendors,” said Singh.
He gave the example of an experiment where a journalist from Wired bought an unbranded IoT device, connected it to an unsecured network, and found that it took less than a minute to catch malware. Buying from a reputable vendor doesn’t guarantee that your device won’t be compromised, but it does mean it adheres to certain security standards.
“Second, make sure that the firmware is updated,” Singh said. “A lot of devices are getting quite intelligent, with auto updates, but as the software gets outdated and more vulnerabilities pile up, it makes that insecure.”
“…[H]ome users that already have a smart home or smart devices within their home should consider already setting in place network security appliances that work in tandem with their current router, in order to weed out potential intrusions,” Arsene added.
“For example, a dedicated home network security solution has the ability to let users know whenever devices are secured with poor passwords, whether firmware updates are available for IoTs and even the router, whether brute-force attempts or known exploits are performed against devices, and even warn users if sensitive data – such as passwords or credit card details - is being exposed online via unsecured communication channels.
“In essence, a dedicated home network security appliance that acts as a gateway for all smart home devices and makes sure that all home network devices are equally secure.”
As a wary consumer, it’s best to take as many steps as possible to keep yourself safe, because the industry won’t do it for you.
“Those [methods] can help mitigate a big part of the safety risk,” said Singh. “One that cannot be mitigated by the end consumer is that a lot of appliance makers who are now selling Wi-Fi chips don’t have a background in providing IoT security. Toaster makers have been great at making toasters, but when they add Wi-Fi capability they have no sense of the risks that are associated with providing that capability and how would you secure it.”
You wouldn’t trust a toothbrush maker to build your router, so why give it unrestricted access to your home network?