The warning, from Ben-Gurion University of the Negev, Israel, said that vulnerable IoT devices includes baby monitors, home security and web cameras, doorbells, and thermostats and they are “easily co-opted”.
This is not a particularly new development. Four years ago the Information Commissioner’s Office (ICO) warned that live video feeds from thousands of webcams, CCTV camera and baby monitors around the world have been hacked and put up online.
The Ben-Gurion University researchers carried out experiments as part of their ongoing research into detecting vulnerabilities of devices and networks. They disassembled and reverse engineered many common devices and quickly uncovered serious security issues.
“It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices,” said Dr. Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering at Cyber@BGU.
“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” said Dr Oren.
And what is worse, it seems that many of these hacks can be carried out just by using a Google search.
“It only took 30 minutes to find passwords for most of the devices and some of them were found merely through a Google search of the brand,” said Omer Shwartz, a Ph.D. student and member of Dr Oren’s lab. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
It seems that there are several ways hackers can take advantage of poorly secured devices. The researchers found that similar products under different brands share the same common default passwords. These passwords are rarely changed by consumers and businesses so they could be operating infected with malicious code for years.
The researchers were also able to logon to entire Wi-Fi networks “simply by retrieving the password stored in a device to gain network access.”
Dr Oren urges IoT device manufacturers to stop using easy passwords and to disable remote access capabilities.
He also advised them to make it harder to get information from shared ports, like an audio jack which was proven vulnerable in other studies by Cyber@BGU researchers. “It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he said.
Consumers and businesses can better protect themselves by only buying IoT devices from reputable manufacturers and vendors; avoid used IoT devices; carry out research into each device to see if it has a default password; and use strong passwords with a minimum of 16 letters.
The advice to always change default passwords was echoed by at least one security expert.
“The nature of our connected lives means that hackers have an infinitely larger surface area on which to launch their attacks,” said David Emm, principal security researcher at Kaspersky Lab. “It’s no longer a case of just securing our desktop computers – now connected devices range from kids’ toys to CCTV cameras, baby monitors, smart homes and smart TVs. To put it another way, the more times you cross the road, the more chance you have of being knocked down – and it’s the same concept with cybersecurity.”
“The government’s recent announcement of IoT guidelines was very welcome, but they must set the standards for developing security practices for IoT devices,” said Emm. “Not only this, but security should be implemented by design globally by manufacturers.”
Kaspersky Lab strongly advises users always change the default password with a complex one instead; pay close attention to security issues of connected devices before purchasing; and check to see if the product can be updated and always apply these updates.
The security threat posed by IoT devices was starkly illustrated in 2016 when researchers at security firm Sucuri uncovered an unusual botnet made up entirely of Internet-connected CCTV cameras.