How to Prevent Smart Home Hacks
As the smart-home industry grows rapidly — estimates say it may be worth $21.6 billion by 2020— smart home-security alarm systems, security cameras, baby monitors and other devices that rely on apps and web portals are becoming more commonplace.
While internet connectivity for home devices may be convenient, it's not so great for security, as "smart" gadgets can be hacked much more easily than their "dumb" predecessors.
There are a few tried-and-true gadget-hacking methods that form the basis for most smart-home security attacks. Here's a closer look at various attack types, as well as examples of how they've been implemented, and what you can do to prevent them.
MORE: Best Wireless Home Security Cameras
Signal interception
Wi-Fi- and Bluetooth-enabled devices use wireless signals to communicate. Hackers with the right tools can easily tap into those signals, and — if the transmissions aren't encrypted — use them to take control of the system in question.
In 2014, security researchers demonstrated that intrepid hackers could easily monitor several popular professionally installed home security systems. Using cheap SDR devices — software-defined radios that are essentially TV-tuner dongles plugged into laptops — they could capture unencrypted transmissions from alarm sensors and control pads. Once those signals were captured, the hackers could easily use them to direct the home security systems.
How to avoid it
If you're committed to the features of professionally installed wireless home security, you can avoid some vulnerability by investing in a recognized name-brand home security system with good customer reviews. Additionally, look for a system that emphasizes encryption. Any data sent — no matter what the method — should be sent securely to avoid interception.
Software loopholes
In the name of convenience, many smart security devices open up their apps' design elements to developers. Although there are a few payoffs of providing such open developer access, there are downsides, too.
"Customizable apps do give users access to more extensive functionality," said Carson Ward, a web developer with Fractal Media in Utah, "but they also set the stage for security weaknesses."
Systems that allow you to open a smart lock through an app, for example, don't always have security locked down. Many of these security-system apps also allow third-party app developers to make and sell compatible apps, and some of those apps create the perfect environment for easily breached loopholes.
Researchers at the University of Michigan found that 40 percent of nearly 500 apps written by third parties for the Samsung SmartThings platform could easily be accessed because of small design flaws in the apps' codes that allowed too much access.
How to avoid it
If you're adding a smart lock, or any smart device, to your home-security arsenal, look for a model that regulates third-party access, Ward suggested. Additionally, he advised users to keep up with software and firmware updates released by device manufacturers, as those should help patch any gaping holes in the code.
Physical tampering
Even the most high-tech security devices still have physical weaknesses. If they're easily moved or reset, these devices could act as gateways into private digital information.
In 2016, security testing company Pen Test Partners discovered a big vulnerability in the Ring Video Doorbell. The device's setup button created a Wi-Fi access point, and the setup button could be accessed if someone removed two screws and pulled the Ring Video Doorbell from its mounting bracket.
Once the setup button was pressed, a hacker could access the doorbell's own Wi-Fi network, and then check the settings to find the normally connected home's network name and password. Ring fixed the issue, but this wasn't the first attack of its kind on smart alarm systems, and it won't be the last.
How to avoid it
Invest in products that can't be moved or detached without some effort, especially with products that are placed outdoors, and opt for a professional installation if you don't trust your own setup skills. Regardless of whether you end up with a device that has physical weaknesses, make sure to keep the firmware updated.
Password cracking
A weak password is an open invitation for unauthorized access, and hackers are always eager to RSVP. Once a thief cracks a device's passcode, he or she can potentially take complete control of the gadget.
In September 2015, Boston-based security firm Rapid7 reported that many brand-name baby monitors could easily be hacked. Many of them used poor encryption standards and default usernames and passwords, making them easy to exploit.
If you've watched local TV news in the past few years, you've probably seen a story about hackers terrorizing nervous parents by speaking to children through baby monitors. Such security breaches are often made possible by unchanged default passwords.
How to avoid it
A strong password should always be your first line of defense, both on the monitor itself and on your own Wi-Fi network.
You can make a strong, unpredictable password by setting a minimum length of 15 characters, including numerals, punctuation and capital letters; using a non-dictionary word; and avoiding simple substitutions, such as “3” for “e.” For more details, read our guide on creating strong, secure passwords.
Always check the history log, if possible, to double-check who has accessed your device. Register the monitor with the manufacturer so you can be notified of any software upgrades and required updates.
Malware attacks
Because smart-home security devices connect to the internet, they're vulnerable to some of the millions of pieces of malware drifting across the web.
Mass infection of Internet of Things (IoT) devices is what caused the widespread internet outages of October 2016, which made it hard for users to reach major sites such as Twitter, Amazon, Netflix and Tumblr. Hackers used malware to attack thousands of devices connected to the internet, including security cameras, to overwhelm Dyn — a company that provided domain-name system (DNS) service, a central piece of internet infrastructure — with a flood of traffic.
Security experts warn that these kinds of attacks, known as distributed denial-of-service (DDoS) attacks, will become increasingly common in the age of IoT.
According to Richard Meeus, vice president of technology at security-solutions company NSFocus, "DNS has often been neglected in terms of its security and availability," meaning that there are still significant vulnerabilities in current internet structuring and regulation.
How to avoid it
There's still a lot of discussion around how to regulate security protocols for smart devices, especially for devices whose internal settings are difficult to access or change. However, by following best practices around IoT devices, such as installing a firewall on your home network and updating a device's default network names, you can lower the odds of a breach. You might also consider one of the new devices designed to protect IoT devices, such as the Bitdefender Box or the Norton Core.
Bottom line
More than 25 billion devices will be connected to the internet by 2020, according to a report by Gartner market analysts. If smart-home tech is part of your security strategy, make sure you tighten up on safety measures as much as possible.
Partner with a trusted home-security company that offers reliable technology, and add your own layer of security — by using network firewalls, strong passwords and reliable installations — to protect yourself from home cyberattacks.
