The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.
It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.
So what are the risks—and how can you protect your home?
Governments take action
First, some good news: as consumers’ homes fill with ever-greater numbers of smart gadgets, governments are aware of the growing risks of cyber-attacks. In the US, California is leading the way with new legislation designed to force manufacturers to improve the security of their products. SB-327 introduces minimum requirements such as forcing each user to set a unique device password the first time they connect.
Following hot on the heels of the Golden State is the federal government. Introduced in March, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019 doesn’t cover all IoT makers, only ones which sell products to the government. However, it is hoped that the law will have a knock-on effect with the wider industry, encouraging other manufacturers to raise their standards.
But it’s not only the US that is making moves to safeguard IoT users. The UK in May introduced a proposed new law designed to force manufacturers to adhere to key security requirements, covering things like unique passwords and security updates. In addition, retailers will only be allowed to sell devices with a clear label telling consumers how secure they are.
While Trend Micro welcomes any government moves to make smart home gadgets more secure, the truth is that it will take a while for these laws to take effect—and even longer for them to have an impact on the firms designing and building our connected devices. The US federal proposal will require a separate standards body to hunker down and draw up its requirements first, which could take months. There’s also a risk that when new laws take effect, the hackers will simply move on to use new tactics not legislated for.
That’s why consumers must act now to secure their smart home. Below we list some of the key threats and how to take action.
What’s the problem?
The more smart gadgets there are in your home, the greater the number of potential targets for hackers. Devices could be hijacked if attackers manage to guess or crack the passwords protecting them, or exploit flaws in the underlying software (firmware) that runs them.
This is made easier because some devices don’t require a user to install a password; they simply run with an easy-to-guess factory default. Many manufacturers also don’t issue regular updates (patches) either, or if they do, it’s hard for users to find out about and install them. And unlike your laptop/desktop and mobile devices, these IoT endpoints are typically too small to install AV on, further exposing them.
Finally, it’s not just the devices themselves that are at risk, but also the complex, underlying automation systems that link them together behind the scenes. This complexity creates gaps that bad guys are adept at exploiting.
So, to simplify, there are three main threat vectors facing home networks:
1. Physical danger
Devices could be remotely controlled by attackers to surveil the family. For example, by hijacking feeds from smart security cameras, or other sensors around the house such as smart door and window locks, burglars could work out when the property is empty. They could even remotely unlock doors or windows, if these are internet-connected — for example by cloning the owner’s voice and playing commands via your home assistant.
Cases have been reported in the past of hackers remotely monitoring smart homes. In one incident, a baby monitor was hacked and used to broadcast threats to the parents; while more extensive hacks of home security cameras have had their video content streamed online.
2. Data loss and malware
These same devices are also a potential gateway into the home network, which could allow hackers to grab passwords for your key online accounts like banking and email. Any data they collect on you can be sold on the dark web and used for future identity fraud. The router is in many ways the digital gateway to your smart home — the place where all your internet traffic passes through. That makes it particularly vulnerable to these kinds of attack. As well as data theft, hackers could be looking to spread malware such as ransomware and banking trojans.
One major router threat spotted in 2018 was VPNFilter—information-stealing malware which infected at least half a million routers globally by exploiting vulnerabilities in the devices.
3. Hijacked devices become botnets
In another scenario, your smart home gadgets and router are hijacked and remotely controlled not to install ransomware or steal data from your family, but to use in attacks on others. Typically, they become part of a botnet of controlled machines which are programmed to do the bidding of the hackers. This could range from launching denial-of-service (DoS) attacks on businesses to illegally mining for crypto-currency.
The most famous example of this kind of attack came in 2016, when the Mirai campaign managed to hijack tens of thousands of IoT devices by scanning for any exposed to the internet and protected only with factory default passwords. In an infamous attack, it managed to take out a key online provider, resulting in outages at some of the biggest sites on the internet, including Twitter and Netflix.
What to do next
All that said, there are some simple steps you can take today to help reduce your exposure to IoT threats. It should begin with taking time out to understand how your devices work. Are they password protected? How are they updated? Are they running unnecessary services which may expose them to attackers? A bit of research before you buy and install them will also go a long way to keeping you safe.
Here are a few best practice tips to get you started:
- Change factory default passwords to strong and unique credentials.
- Switch on two-factor authentication for even more log-in protection, if offered.
- Regularly check for firmware updates and apply as soon as they’re available.
- This may require you to visit the manufacturer’s website from time-to-time.
- Use WPA2 on your routers for encrypted Wi-Fi. Disable UPnP and any remote management features.
- Set up a guest network on your router, which will help protect your main network, its devices and data, from network worms and other malware inadvertently introduced by guests.
- Protect your computers and smartphones with AV and only download legitimate smart home apps.
How Trend Micro can help
Trend Micro is here to offer you peace-of-mind when it comes to protecting your smart home. The first step is diagnostic: download our Trend Micro HouseCall for Home Networks tool to check your network. It will run a comprehensive scan on all your smart home gadgets, highlighting any vulnerabilities and other risks, and providing helpful advice for keeping your network and devices secure.
Next up, install Trend Micro Home Network Security (HNS) for comprehensive protection on all your home devices. It blocks dangerous file downloads and malicious websites, protects your personal/financial data from theft, and will keep ransomware, phishing and other threats at bay. HNS provides instant threat notifications, lets you disconnect any unwanted devices from your network, and offers full control over your devices from your Android or iOS smartphone with the paired HNS monitoring app.
Watch our Trend Micro Home Network Security videos to find out more about how HNS helps protect your network.