At the Black Hat security conference in Las Vegas earlier this month, researchers demonstrated how a Nest thermostat can be hacked, to show how easily connected appliances—the household technologies that make up the Internet of Things—can be compromised. When you look beyond the demo's hyperbolic headlines, it turns out the hack requires physical access to the Nest device, but the questions remains, “How vulnearable is IoT?”
To find out, David Jacoby, a security researcher with Kaspersky Lab, hacked his own living room.
In a blog post detailing the exercise, Jacoby describes the array of connected devices in his home. He has two different NAS (network-attached storage) units, a smart TV, satellite receiver, printer, and the router from his Internet provider. Aside from the NAS units, it's all technology you can find in just about any house.
Jacoby identified 14 vulnerabilities just in the two NAS units, one in the smart TV, and several concerning issues with his Internet router. He found remote code execution flaws and weak passwords on the NAS devices, a potential for a man-in-the-middle attack on unencrypted traffic between the smart TV and the TV vendor’s servers, and hidden backdoors in the router designed to provide the Internet provider support personnel to remotely access any device on the private network.
The results are concerning. It took Jacoby less than 20 minutes to find and verify extremely serious vulnerabilities that expose his home to significant risk. He explained, “Individuals and also companies need to understand the security risks around connected devices. We also need to keep in mind that our information is not secure just because we have a strong password, and that there are a lot of things that we cannot control.”
Unfortunately, securing IoT devices is a bigger challenge in many cases than patching and securing traditional computing devices. Many IoT technologies lack any sort of direct user interface, so you are dependent on the vendor to make it as secure as possible off the shelf and to deploy updates in a timely manner when flaws are discovered.
There are a few things you can do yourself, though. Jacoby says users should keep devices that do offer firmware and security patches up to date. He also stresses that all default passwords should be changed. Finally, Jacoby recommends exploring more advanced features in some routers that will enable you to restrict access so that only designated devices on your network are allowed to connect to the network or access other resources.