Researcher Says It Only Takes Minutes To Hack Most Smart Home Security Devices

With a security hack taking place just about everyday, consumers are more on-guard than ever when it comes to making sure their personal information are secure from ne’er-do-wells. But a new report points out that we might be inviting those hackers into our homes with open arms thanks to the less-than-optimal security of many smart home products.

Gigaom reports that testing conducted by research firm Synack found that many of the products that makeup a smart home – including cameras, thermostats, and smoke detectors – have serious security flaws.

Colby Moore, a security research analyst for Synack, tells Gigaom that it took him only 20 minutes to break into all but one of the 16 assorted devices during testing.

Moore says the lack of security for such products could stem from the fact that there are no set standards for smart home security.

“Right now the internet of things is like computer security was in the nineties, when everything was new and no one had any security standards or any way to monitor their devices for security,” he tells Gigaom.

Of the 16 devices tested, Synack found only one – the Kidde connected smoke detector – that didn’t have significant flaws.

When all testing was said and done, the worst performing devices were connected cameras. Each of the five camera products tested had issues either with encryption or password security. In all, the report found that Dropcam was the least-flawed camera.

When it came to thermostats, Nest was deemed to be the most secure, although it did lose points for a weak password policy. Other products from Ecobee, Hive and Lyric were both dinged by testers for issues with password policies, encryption and a long history of vulnerabilities across product lines.

While researchers already found the Kidde connected smoke detector to be the most secure out of all smart home devices tested, other smoke and carbon dioxide detectors didn’t fare so well.

Moore points out that this category – specifically the First Alert product – could fall victim to a supply chain-based attack. Gigaom suggests that means someone would have to intercept the device and change a component, something that could take place in returned or second-hand devices.

The final category tested by Synack was home automation controllers – the devices that connect all smart home devices.

Iris tested the best, only being dinged for its moderate password policy. Other products from SmartThings and Control4 had issues with exposed service and insecure architecture.

In all, Moore tells Gigaom that the security of smart home devices today is “abysmal.”

Still, he does offer consumers a few best practices that they could follow to make their devices safer.

He suggests users hardwire as many devices as possible, enable automatic firmware updates and utilize strong passwords.

When it comes to smart home security, cameras are the worst [Gigaom]

Read Comments3

Edit Your Comment

  1. Mokona512 says:

    That is why you avoid any product that relies on remote servers unnecessarily e.g., a dropcam. (if their service fails, or goes out of business, or they device to charge $1,000,000 a month, then you are left with a paperweight.)

    The more unnecessarily complex you make the system, the more attack vectors you create, in addition to points of failure.

    If you want proper come surveillance, then buy a system that is completely local, (cameras and DVR unit on your LAN) Many of them offer remote access, but if you have one which has a known security flaw, you can disable its WAN access, then simply set up a VPN server to get onto your LAN in order to access the camera. (this is very simple to do, (some routers even come with a built in VPN server (if you do not feel like installing a 3rd party firmware).

    If you want better security, go with device that do not require any type of remote server connection for their full functionality. e.g., I have some IP cameras which are vulnerable to a sidejacking attack for the login session. I solved that issue by setting up a VPN server, and making sure that the IP cameras cannot access anything on the WAN, thus the only way to get to them is on the LAN, and through a VPN. (While the security flaw still exists, it is only exploitable from the LAN, and if your network is compromised to that extent, then you have far bigger problems.

    • furiousd says:

      This is one of the reasons I want to roll my own home security system. I don’t particularly trust someone else to handle my security for me and I’m incredibly cheap and can build something with a good lens/sensor with pan/tilt and flexible connectivity for less than some of the low-end offerings available. It’s not a good solution for everyone though. I work for a research lab that has developed portions of intelligent security systems for the military/government and as such would have a lot of fun not only setting up my own cameras and having them network-connected, but with added intelligence. My next project is to have things link into an automated sprinkler system. It will read the moisture sensors to keep the lawn watered while pulling weather forecasts to make sure a storm isn’t on the way so water isn’t wasted and use the cameras to determine if something in my yard is an animal or a person. If a person, determine if a child (I have a problem with children trampling on my garden and stealing flowers while leaving trash). If a child or an animal (I also have a problem with people in the neighborhood letting their animals roam free) then turn on the sprinklers. If an adult, determine if a deliveryman/mailman and allow to pass. If an adult and not a deliveryman, compare face to friends/family and if not found, keep a detailed recording of all activities and alert me via text/email to watch the cameras and possibly issue an alarm if necessary.

      I love added intelligence. Growing up we had a lot of trouble with our alarm system’s monitoring company and I want to make sure I don’t have to depend on someone in a call center making the wrong decision and getting a bunch of my stuff stolen. I’d also love to continue testing devices, algorithms, sensors, etc. and some day developing a company that will get people custom-tailored security for their homes. Everyone’s situations and concerns are different and it irritates me somewhat when I see the ads for a ‘free security system’ that does nothing but provide the company with a revenue source and the customer with a false sense of security. I think more and more people will need properly developed security to protect themselves and the current offerings are abysmal.