Skip to main content

Hacking the Internet of Things

The Internet of things

As the proliferation of smart devices begins in earnest, consumers may invite a whole new wave of security risks into their homes without even realizing it. Any device with an operating system can be hacked, be it a thermostat, TV or even a toilet.

In recent years, consumers have generally been wise enough to protect their computers from cybercriminals and harmful software. They've begun to protect their mobile devices in the same way, but their household electronics are woefully unprepared for the next wave of cyberattacks.

Smart household devices

There are all kinds of devices you can buy in order to convert your boring, ordinary old house into a "smart house." Using Wi-Fi-enabled devices, you can control your home's temperature, monitor your grounds, unlock your doors, control your lights and keep your food fresh.

MORE: 5 Free PC Security Programs Worth Downloading

Although it doesn't reveal as much information as hacking into a PC or a smartphone, malefactors can still compromise these devices, and in most cases, doing so is absolutely trivial. A hacker sending you a bogus grocery list might not sound like much of a threat, but someone unlocking your doors while you're out and helping themselves to your stuff could be a little more troublesome.

"Motion sensors, sirens, window and door sensors — those are marketed as secure devices with the assumption that … it would be very difficult for an attacker to [target them]," said Behrang Fouladi, a security researcher at SensePost. "This assumption is not correct."

At this year's Black Hat security conference in Las Vegas, the Internet of Things (nontraditional Web-enabled devices) was a hot topic. Multiple presentations suggested that security on these devices is, at present, almost nonexistent.

Fouladi and his colleague Sahand Ghanoun, an aerospace engineer, tested a number of smart devices controlled by ZigBee and Z-Wave communication protocols. Both ZigBee and Z-Wave are common wireless communication systems that communicate between devices via radio waves.

In addition, security researchers David Bryan, security consultant at Trustwave SpiderLabs; Daniel Crowley, managing consultant at Trustwave SpiderLabs; and Jennifer Savage, software engineer at Tabbedout, gave a presentation that examined a number of different smart devices and concluded that they were all more or less ripe for attacks.

Device breakdown

The Belkin WeMo switch was one of the most vulnerable products tested. The switch is fairly straightforward: Hook any electronic device up to it, switch it on or off via your smartphone, and do things like prime your air conditioner while you're finishing up yard work or brew your coffee while you snatch a few more minutes of shut-eye.

In addition to commandeering the device via its operating system, the researchers were able to monitor communications between the switch and the iPhone commanding it. This could be a mere annoyance if you're controlling a lamp in the bedroom or a real problem if you're controlling an electronic safe.

The Radio Thermostat faced similar problems: A complete lack of authentication means that anyone on the same Wi-Fi network with a working knowledge of its OS can adjust the temperature on a whim.

"Thermostats and lights are not very critical if they are compromised," Fouladi told Tom's Guide. "I don't care if someone, for instance, tries to turn off or turn on the lights … Something like a front-door lock or a motion sensor, if they are used to detect intrusion — that is critical stuff. The implication of the compromise is higher."

The biggest problems were present in the most sophisticated devices: the hubs. Both the MiCasaVerde VeraLite and INSTEON Hub centralize all of the smart devices in a house and allow a user to control them from one place. The Karotz Smart Rabbit consolidates your email, social networking information and music, and can broadcast it all to you by voice. It also looks like an adorable anime rabbit.

None of the three will keep you safe. The researchers compromised the VeraLite, but the company would not acknowledge the product's security flaws, much less fix them. The INSTEON Hub's OS lacks even basic authentication procedures.