Watch that coffeemaker!

Watch out: Your home could be out to get you.

For instance, your coffeemaker could expose your home wi-fi password.

Or your baby video monitor could be controlled by a malicious third party.

And your smartphone-controlled home security system could be fooled by a simple magnet.

Investigating some of the latest internet-of-things (IoT) products, Kaspersky Lab researchers have discovered serious threats to the connected home.

Threats close to home

In 2014, Kaspersky Lab security expert David Jacoby decided to investigate how susceptible the devices he owned were to a cyber attack. He discovered that almost all were vulnerable.

This year, a team of Kaspersky Lab anti-malware experts repeated the experiment with one difference. Jacoby’s research concentrated mostly on network-attached servers, routers, and smart televisions. But this latest research was focused on various connected devices available on the smart home market. The investigation discovered that almost all of the devices contained vulnerabilities.

• Not mere child’s play. The baby-monitor camera used in the experiment could allow a potential attacker, while using the same network as the camera owner, to connect to the camera, watch the video from it, and launch audio on the camera itself.

Other cameras from the same vendor allowed for the ability to collect owner passwords.

The experiment showed it was also possible for someone on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.

• Grounds for concern. When researching app-controlled coffeemakers, Lab staff discovered that it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker examined during the experiment was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s entire wi-fi network.

• Magnetic switcheroo. Then the Kaspersky Lab researchers found that the smartphone-controlled home security system’s software had just minor issues and was secure enough to resist a cyber attack.

Instead, the vulnerability was found in one of the sensors used by the system. The contact sensor used is designed to set off the alarm when a door or a window is opened. It works by detecting a magnetic field emitted by a magnet mounted on the door or window.

During the experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window. This allowed them to open and close a window without setting off the alarm.

This vulnerability is also impossible to fix with a software update; the issue is in the design of the home security system itself. Furthermore, the magnetic field sensor-based devices are a common type of sensors, used by multiple home security systems on the market.

Word to wise re smart devices

“Our experiment, reassuringly, has shown that vendors are considering cyber-security as they develop their IoT devices,” says Victor Alyushin, security researcher at Kaspersky Lab. “Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues —even those that are not critical.”

Alyushin  says these vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners

How to safeguard yourself

Kaspersky Lab experts advise the following to help consumers stay protected from the risks of vulnerable smart home IoT devices:

• Google before you buy! Before buying any IoT device, search the internet for news of any vulnerabilities within that device. Researchers are constantly finding security issues in IoT products, from baby monitors to app-controlled rifles. It is very possible that the device you are going to purchase has already been examined by security researchers. You can find out whether the issues found in the device have been patched. 

• Let pioneers go first. Avoid the temptation of purchasing new products recently released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered. It is better to buy products that have already experienced several software updates.

• How smart must your home be? When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. If you set up a home security system, consider a professional alarm system that can be set up in such a way that any potential vulnerabilities would not affect its operation. Or if you need to purchase a baby monitor, it may be wise to choose the simplest RF-model on the market, one that is only capable of transmitting an audio signal, without internet connectivity.

Read an in-depth report on Kaspersky Lab’s Securelist site