It’s only a smart lightbulb. Why would anyone want to hack that?
Great question. Because it gets to the heart of security matters for your IoT smart home devices.
Internet of Things (IoT) devices have certainly made themselves at home in recent years. Once a novelty, they’ve become far more commonplace. The numbers bear that out. Recent research indicates that the average U.S. household has 20.2 connected devices. Europe has 17.4 on average, while Japan trails at 10.3.
Of course, those figures largely account for computers, tablets, phones, and internet-connected smart TVs. Yet the study uncovered a sizable jump in the presence of other smart devices.
Comparing 2022 to 2021, smart homes worldwide had:
- 55% more cameras.
- 43% more smart doorbells.
- 38% more home hubs.
- 25% more smart light bulbs.
- 23% more smart plugs.
- 19% more smart thermostats.
Consider that connected devices in the home rose just 10% globally during the same timeframe. It’s clear that IoT smart home device ownership is on the upswing. Yet has security kept up with all that growth?
Poor security and consumer IoT smart home devices
That security question brings us back to the lightbulb.
An adage in security is this: if a device gets connected, it gets protected. And that protection has to be strong because a network is only as secure as its weakest link. Unfortunately, many IoT devices are indeed the weakest security links on home networks.
Some recent research sheds light on what’s at stake. Cybersecurity teams at the Florida Institute of Technology found that companion apps for several big brand smart devices had security flaws. Of the 20 apps linked to connected doorbells, locks, security systems, televisions, and cameras they studied, 16 had “critical cryptographic flaws” that might allow attackers to intercept and modify their traffic. These flaws might lead to the theft of login credentials and spying, the compromise of the connected device, or the compromise of other devices and data on the network.
Over the years, our research teams at McAfee Labs have uncovered similar security vulnerabilities in other IoT devices like smart coffee makers and smart wall plugs.
Vulnerabilities such as these have the potential to compromise other devices on the network.
Let’s imagine a smart lightbulb with poor security measures. As part of your home network, a motivated hacker might target it, compromise it, and gain access to the other devices on your network. In that way, a lightbulb might lead to your laptop—and all the files and data on it.
So yes, someone might be quite interested in hacking your lightbulb.
Botnets: another reason why hackers target smart devices
One Friday morning in 2016, great swathes of the American internet ground to a halt.
Major websites and services became unresponsive as internet directory services got flooded with millions and millions of malicious requests. As such, millions and millions of people were affected, along with public agencies and private businesses alike. Behind it, a botnet. An internet drone army of compromised IOT devices like digital video recorders and webcams.
Known as the Mirai botnet, its initial purpose was to target Minecraft game servers. Essentially to “grief” innocent players. Yet it later found its way into other hands. From there, it became among the first high-profile botnet attacks on the internet.
Botnet attacks can be small and targeted, such as when bad actors want to target a certain business (or game servers). And they can get as large as Mirai did. Regardless of size, these attacks rely on compromised devices. Consumer IoT devices often get targeted for such purposes for the same reasons listed above. They can lack strong security features out of the box, making them easy to enlist in a botnet.
In all, the threat of botnets makes another strong case for securing your devices.
How to protect your smart home network and IoT devices
To put a fine point on it, security in your smart home is an absolute must. And you can make your smart home far more secure with a few steps.
Grab online protection for your smartphone.
Many smart home devices use a smartphone as a sort of remote control, and to gather, store, and share data. So whether you’re an Android owner or an iOS owner, protect your smartphone so you can protect the things it accesses and controls—and the data stored on it too.
Don’t use the default—Set a strong, unique password.
One issue with many IoT devices is that they often come with a default username and password. This could mean that your device and thousands of others just like it share the same credentials. That makes it easy for a hacker to access to them because those default usernames and passwords are often published online.
When you purchase any IoT device, set a fresh password using a strong method of password creation. Likewise, create an entirely new username for additional protection as well.
Use multi-factor authentication.
Banks and other online services commonly offer multi-factor authentication to help protect your accounts. In addition to using a username and password for login, it sends a security code to another device you own (often a mobile phone). It throws a big barrier in the way of hackers who try to force their way into your device with a password/username combination. If your IoT devices support multi-factor authentication, consider using it with them too.
Secure your internet router too.
Another device that needs good password protection is your internet router. Make sure you use a strong and unique password as well to help prevent hackers from breaking into your home network. Also consider changing the name of your home network so that it doesn’t personally identify you.
Fun alternatives to using your name or address include everything from movie lines like “May the Wi-Fi be with you” to old sitcom references like “Central Perk.” Also check that your router is using an encryption method, like WPA2 or the newer WPA3, which will keep your signal secure.
Upgrade to a newer internet router.
Older routers might have outdated security measures, which might make them more prone to attacks. If you’re renting yours from your internet provider, contact them for an upgrade. If you’re using your own, visit a reputable news or review site such as Consumer Reports for a list of the best routers that combine speed, capacity, and security.
Update your apps and devices regularly.
In addition to fixing the odd bug or adding the occasional new feature, updates often fix security gaps. Out-of-date apps and devices might have flaws that hackers can exploit, so update regularly. If you can set your smart home apps and devices to receive automatic updates, select that option so that you’ll always have the latest.
Set up a guest network specifically for your IoT devices.
Just as you can offer your guests secure access that’s separate from your own devices, you can create an additional network on your router that keeps your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices on your primary network that hosts your computers and smartphones.
Purchasing IoT smart home devices (with security in mind)
You can take another strong security step before you even bring that new smart device home. Research.
Unfortunately, there are few consumer standards for smart devices. That’s unlike other household appliances. They must comply with government regulations, industry standards, and consumer-friendly standards like Energy Star ratings. So, some of the research burden falls on the buyer when it comes to purchasing the most secure devices.
Here are a few steps that can help:
1) Check out trusted reviews and resources.
A positive or high customer rating for a smart device is a good place to start, yet purchasing a safer device takes more than that. Impartial third-party reviewers like Consumer Reports will offer thorough reviews of smart devices and their security, as part of a paid subscription.
Likewise, look for other resources that account for device and data security in their writeups, such as the “Privacy Not Included” website. Run by a nonprofit organization, it reviews a wealth of apps and smart devices based on the strength of their security and privacy measures.
2) Look up the manufacturer’s track record.
Whether you’re looking at a device made by a well-known company or one you haven’t heard of before, a web search can show you if they’ve had any reported privacy or security issues in the past. And just because you might be looking at a popular brand name doesn’t mean that you’ll make yourself more private or secure by choosing them. Companies of all sizes and years of operation have encountered problems with their smart home devices.
What you should look for, though, is how quickly the company addresses any issues and if they consistently have problems with them. Again, you can turn to third-party reviewers or reputable news sources for information that can help shape your decision.
3) Look into permissions.
Some smart devices will provide you with options around what data they collect and then what they do with it after it’s collected. Hop online and see if you can download some instructions for manuals for the devices you’re considering. They might explain the settings and permissions that you can enable or disable.
4) Make sure it uses multi-factor authentication.
As mentioned above, multi-factor authentication provides an additional layer of protection. It makes things much more difficult for a hacker or bad actor to compromise your device, even if they know your password and username. Purchase devices that offer this as an option. It’s a terrific line of defense.
5) Look for further privacy and security features.
Some manufacturers are more security- and privacy-minded than others. Look for them. You might see a camera that has a physical shutter that caps the lens and blocks recording when it’s not in use. You might also find doorbell cameras that store video locally, instead of uploading it to the cloud where others can potentially access it. Also look for manufacturers that call out their use of encryption, which can further protect your data in transit.
If a device gets connected, it gets protected
Even the smallest of IoT smart home devices can lead to big issues if they’re not secured.
It only takes one poorly secured device to compromise everything else on an otherwise secure network. And with manufacturers in a rush to capitalize on the popularity of smart home devices, sometimes security takes a back seat. They might not thoroughly design their products for security up front, and they might not regularly update them for security in the long term.
Meanwhile, other manufacturers do a fine job. It takes a bit of research on the buyer’s part to find out which manufacturers handle security best.
Aside from research, a few straightforward steps can keep your smart devices and your network safe. Just as with any other connected device, strong passwords, multi-factor authentication, and regular updates remain key security steps.
For a secure smart home, just remember the adage: if a device gets connected, it gets protected.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.