The hidden cyber security risks of smart devices

A smart watch, a smart phone and a laptop in a pile on a wooden desk
(Image credit: Unsplash/Brina Blum)

 

Did you know there are more smart devices on Earth than people? And that number is on the rise year upon year - especially in the age of remote and hybrid working patterns.

Ranjit Atwal, senior research director at Gartner, believes that this is down to the rise in those working from home.

“Connectivity is already a pain-point for many users who are working remotely. But as mobility returns to the workforce, the need to equip employees able to work anywhere with the right tools will be crucial,” he explains. “Demand for connected 4G/5G laptops and other devices will rise as business justification increases.”

‘Smart devices’ refers to any gadget that connects to the internet (or to your home network), usually via wifi and can communicate with each other. Examples include smart bulbs that you can control from your phone, smart speakers such as Amazon’s Alexa and wearables like the Apple Watch. To operate efficiently and enhance their functionality over time, devices often need to collect data ranging from personal information to usage patterns, allowing their use to be more personalized to the user. As with any data collection, this comes with ample opportunity for cyber criminals to exploit with malicious intent.

Unfortunately, despite the risks of smart devices, their security is not something on users’ minds. According to research from Blackberry, consumers do not typically prioritize security when selecting smart devices, with only 30% of German and Dutch home workers who own a smart device stating security was a top three factor when making purchases.

The "Cyber Resilience Act" proposed in the European Union (EU) aims to address this and  ensure that all devices connected "either directly or indirectly to another device or network", including everything from smart watches to smart fridges, will adhere to a newly proposed set of cyber security standards. 

There are a great number of reasons for major brands to comply, with the EU proposing that failing to adhere to the Cyber Resilience Act will result in fines of 15 million euros ($15 million) or up to 2.5% of their total global turnover. The Cyber Resilience Act says that manufacturers are required to report all known actively exploited vulnerabilities and incidents, as well as being obliged to provide regular security support and software updates to address new vulnerabilities.

"We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cyber security safeguards," said Margrethe Vestager, European Commission EVP for digital strategy about the Cyber Resilience Act. "It will put the responsibility where it belongs, with those that place the products on the market.”

Why are smart devices a cyber security risk?

 

Using smart devices on an unsecured Wi-Fi network poses a significant security risk as if malicious actors gain access to your home network they can potentially infiltrate and take control of all devices connected to that network. This vulnerability is particularly concerning due to the interconnected nature of smart devices, where compromising one device can provide a gateway to others. Any initial access can lead to unauthorized control, manipulation, or surveillance of various devices, including smart cameras, thermostats, and even home security systems. 

Multiple high-severity vulnerabilities were discovered in TP-Link's widely used smart lightbulb and its associated mobile app, creating potential avenues for hackers to infiltrate and gain access to the connected Wi-Fi network. These vulnerabilities could have enabled threat actors to reach other endpoints within the network, potentially granting them access to sensitive data or providing the opportunity to deploy various forms of malware and ransomware. Cyber security researchers from the Italian Universita di Catania, and their peers from the University of London, identified four major vulnerabilities. The initial two vulnerabilities, assigned severity scores of 8.8 and 7.6, could be exploited in tandem to impersonate the lightbulb on the network. Through this method, threat actors could gain unauthorized access to Tapo user account details.

This information could then be used to extract the targeted individual's Wi-Fi SSID and password. The other vulnerabilities could be used to launch ‘replay attacks’, which the attackers can use to make functional changes in the lightbulb. According to BleepingComputer, the researchers reached out to TP-Link with their findings, which the company subsequently acknowledged and stated that it would release a patch soon. 

All of these risks, and that’s just via relatively simple light bulbs! In fully automated ‘smart homes’ there are often countless opportunities for hackers to infiltrate. In an investigation, independent consumer body Which? revealed that smart devices could be exposed to thousands of scanning or hacking attempts in a single week. In collaboration with the NCC Group and the Global Cyber Alliance (GCA) they created a fake smart home in May 2021 and filled with a range of smart devices from televisions to thermostats to smart home security systems and even a smart kettle.

In the initial week of testing, Which? observed 1,017 distinct scans or hacking attempts originating from various locations worldwide, with at least 66 of them being conducted with malicious intent. In the following month, there was a substantial increase and a total of 12,807 unique scans and attack attempts targeted at the smart devices within the simulated smart home. On top of this there was 2,435 specific attempts to maliciously log into Which?'s smart devices by using a weak default username and password such as admin and admin.  

Which? estimates 97 percent of all attacks on smart devices are aimed at incorporating them into the Mirai botnet. This extensive botnet systematically scans for vulnerable devices, employing brute-force attacks to identify those secured with weak passwords. Upon discovering such devices, Mirai installs a trojan on them, effectively adding them to its botnet.

In a further distressing case study, in December 2022 cyber security researcher Matt Kune was able to turn a Google Home speaker into a wiretap device. Exploiting vulnerabilities allowed the attacker in wireless proximity to establish a "backdoor" account on the device, granting them the ability to remotely send commands over the internet, access the device's microphone feed, and execute arbitrary HTTP requests within the victim's Local Area Network (LAN). This could potentially expose the Wi-Fi password or provide the attacker with direct access to the victim's other devices. These issues have since been fixed.

This underscores the importance of securing Wi-Fi networks with strong passwords, encryption, and other security measures to prevent unauthorized access and protect the privacy and functionality of connected smart devices.

How to secure your home network

 

It’s important to create a robust digital security toolkit across all digital and smart devices as often they are all interconnected through your home wifi connection. Therefore reducing avenues for malicious actors to exploit and protecting your personal date must be consistent and effective. 

There are several ways to add additional levels of security but first things first you should consider which smart devices you actually want and will use. Instead of filling your home with an array of interconnected Wi-Fi-enabled devices that might only be used for basic functions, focus on incorporating devices that align with your specific needs and preferences. 

This approach ensures that your smart home setup is purposeful, tailored to your lifestyle, and avoids unnecessary clutter or complexity. By identifying the devices that truly enhance your daily life, you can create a more streamlined and effective smart home experience.

 Update your router settings

 

If your router has been gathering dust on a shelf for a couple of years, the security of your connected devices is likely at risk even if your internet performance has remained consistent.  Older routers often mean outdated security protocols, providing an easier access point for potential malicious actors. Keeping your router up-to-date is crucial for maintaining a robust defense against cyber security threats and ensuring the security of your connected devices.

When you’ve purchased a new router the next essential step is to secure your wifi network with a strong password. Most routers typically come with a model-specific SSID and may lack robust security measures, often using generic passwords like "admin." This common practice makes it easy for hackers to gain unauthorized access to your home Wi-Fi network and, by extension, your smart devices. To enhance security, it's important to customize your router settings, including changing the SSID and implementing a strong, unique password, reducing the risk of unauthorized access and potential security breaches.

Next, update your firmware. Firmware is the low-level software that powers your router and other Internet of Things (IoT) gadgets. Accessing your router's firmware provides the ability to customize settings, such as changing passwords and configuring various parameters. This level of control allows users to tailor their device configurations to meet specific security and functionality requirements. Configure your device to enable automatic firmware upgrades, but be aware of the potential risks associated with allowing automatic downloads from third-party servers. 

While automatic updates can ensure that your device receives the latest security patches and improvements, it's important to weigh the convenience against the potential security concerns that may arise from obtaining updates from external sources. Consider the trustworthiness of the servers and sources providing the updates to minimize any associated risks. If you’re not comfortable setting automatic updates, set yourself a regular reminder to update manually.

 Use a password manager

 

Password managers play a crucial role in enhancing online security by generating strong and unique passwords for each account and securely storing login credentials. The use of secure and distinct passwords for every account mitigates the risk of catastrophic consequences if one account gets compromised. Unlike using repeat passwords or keeping lists of passwords in accessible documents, which could lead to a domino effect if one account is hacked, password managers provide a secure and convenient solution. They help safeguard your digital identity by promoting good password hygiene and minimizing the potential impact of security breaches on your overall online presence.

 Enable multi-factor authentication 

 After strong passwords are set up and stored the next step is to enable Multi-Factor Authentication. Multi-factor authentication (MFA) is a robust verification method that requires users to go through a multi-step login process to access a website or application. 

This additional layer of security typically involves confirming the login attempt through various means such as across different devices, push notifications, or contact addresses. The National Cyber Security Centre (NCSC) recommends implementing two factor authentication for ‘high value’ accounts and all email addresses.  The more accounts that incorporate this additional layer of security through 2FA, the more robust the overall defense becomes against potential cyber attacks. 

By securing access to email accounts, which often serve as a gateway for password recovery processes, individuals can significantly enhance their cyber security posture and reduce the risk of unauthorized access to various online platforms. However, be aware of multifactor authentication fatigue attacks, also known as MFA Bombing or MFA Spamming, wherein cyber criminals will spam send authentication requests to the victim's email, phone, or registered devices with the aim of pressuring the victim to confirm their identity.

 Split your Wi-Fi network 

The FBI suggests splitting your Wi-Fi network, suggesting to consumers that "your fridge and your laptop should not be on the same network. Keep your most private, sensitive data on a separate system from your other IoT devices." 

To mitigate the risk of cyber threats, consider placing your appliances on separate networks. Many routers support the creation of a secondary guest network, which can be designated for smart home gadgets. This not only optimizes bandwidth for general browsing and streaming but also has the potential to isolate IoT devices from critical data you aim to protect. 

By adopting this strategy, even if one network is compromised, malware that infects your smart home devices is less likely to spread and affect other devices on your primary network. This adds an extra layer of security and containment to safeguard your main network from potential threats originating in the IoT ecosystem.

 Use a VPN

 

Consider investing in a Virtual Private Network (VPN) to enhance your online security. A VPN encrypts your online identity while you browse, ensuring that your browsing history is not stored on your device. The encrypted connection provided by a VPN adds an extra layer of protection, safeguarding your data from potential threats on unsecured Wi-Fi networks. 

By using a VPN, you not only protect your privacy but also fortify your online presence against various cyber threats, creating a more secure and private browsing experience.

The best VPN in 2024

 

Virtual Private Networks (VPNs) play a crucial role in fortifying the cyber security of your personal digital devices.

1. Express VPN - our top pick for VPNs

1. Express VPN - our top pick for VPNs

Express VPN is widely praised for its user-friendly applications, lightning-fast speeds, exceptional quality, and dependable content unblocking. Notable attributes encompass round-the-clock customer support for swift issue resolution and the added convenience of an integrated password manager, elevating both security and user-friendliness. 

2. Nord VPN - best cyber security additional features

2. Nord VPN - best cyber security additional features


NordVPN distinguishes itself with its incorporation of built-in ad blocking and malware protection as standard features, complementing its comprehensive VPN solution. It also showcases swift server speeds, customizable options, and an expanding array of functionalities. 

3. SurfShark VPN - best budget-friendly VPN

3. SurfShark VPN - best budget-friendly VPN

Despite its cost-effectiveness, SurfShark provides top-notch security features, making it an attractive choice for users in search of budget-friendly yet trustworthy VPN solutions. 

 How to pick a VPN to secure your device 

Virtual Private Networks (VPNs) play a crucial role in encrypting your connection and securing your device, particularly when using unsecured Wi-Fi networks- but with so many on the market it can be difficult to know which one is right for you. Here are key factors to consider when choosing your VPN to meet your needs.

Features: Evaluate the additional features offered by VPN providers to determine which ones justify the cost for you. Examples include NordVPN's built-in ad blocking or Express VPN's 24/7 customer support.

Simultaneous connections: Check the limit on the number of devices a VPN service allows you to protect simultaneously. Ensure that the chosen VPN provider accommodates the total number of devices you intend to secure.

Unblocking capability: Assess the importance of unblocking location specific content on streaming services like Netflix and opt for a VPN with the capability to bypass such restrictions.

Apps: Consider how you plan to access your VPN, keeping in mind the compatibility with your devices. Some VPNs offer apps for Windows, Mac, iOS, and Android but may lack support for platforms like Linux, routers, and smart TVs.

Price: After identifying the necessary functionalities for robust cyber security on your devices, compare the offerings of VPNs that meet your criteria. Be cautious not to compromise on quality, and explore our list of the best cheap VPN services.

 How we test VPNs

Our evaluation of virtual private networks begins by collecting details on the service and its features directly from its website. We sign up as anonymously as possible and verify server claims by connecting to different test locations.  We then read through privacy policy documents and analyze the small print to ensure robust security and, where possible, test privacy claims. 

To gauge the performance of each VPN provider, we conduct extensive speed tests, at least 120 times across two sessions, and use both a US home connection and a 1 Gbps UK data center to show us a provider's potential versus the real-world application. 

A good virtual private network should be able to unblock multiple streaming services seamlessly. To check this, we try to access geo-exclusive content from Netflix, Amazon Prime Video, Disney Plus, and BBC iPlayer, repeating the test from three different locations around the world to get an idea of how the service performs in real life.  We carry out constant real-world testing to make sure our analysis is always accurate and relevant.

Furthermore we don't just trust what we see on the surface of a VPN provider's website. We go further by checking its RAM contents and, if possible, decompiling and examining its source code to find out what's going on behind the scenes and whether the service gives genuine protection or just a false sense of security.

Read our full testing methodology on our VPN testing methodology page.

Using a VPN FAQs

Are VPNs safe?

Yes, VPNs are generally considered safe and are widely utilized as essential tools for bolstering cyber security. They encrypt your internet connection, adding an extra layer of security and privacy to your online activities.

Is it legal to use a VPN?

The legality of using a VPN depends on the country in which you are using it. In many countries, such as the UK and US, VPNs are legal and commonly used. However, in some countries like China and Russia, there are restrictions on VPN usage. It's crucial to note that while using a VPN itself may be legal, engaging in any illegal activities while connected to a VPN remains illegal.

Are VPNs easy to use?

Yes, modern VPNs are designed to be highly user-friendly. For instance, ExpressVPN offers an intuitive one-click connect function for seamless connections. Additionally, some VPNs, like those utilizing the Lightway protocol, automatically select the best server and encryption for your specific needs, further enhancing the user experience.

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example:  1. Accessing a service from another country (subject to the terms and conditions of that service).  2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Olivia Powell
Tech Software Commissioning Editor

Olivia is the Commissioning Editor for Tech Software at Tom's Guide. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.

With contributions from