Nearly all the fancy hardware in your connected home is inherently flawed when it comes to security. That's one of the painful takeaways from a new report by Synack, a subscription Security-as-as-Service (SaaS) startup in Menlo Park, California. The company's analysis will be a rude awakening for anyone who thinks they have a bullet-proof home-security system, whether it's a DIY project or a pricey custom job.
We became aware of Synack's study on Wednesday via this Gigaom story, but we covered the relative insecurity of routers and IP security cameras nearly a year ago, and that of network-attached storage last August. Unfortunately, not much has changed since then.
To drive that point home, Synack tested 16 products in four categories: Cameras, thermostats, smoke/CO detectors, and home-automation controllers. Synack researcher Colby Moore, who put the report together, said he was able to root almost every device in less than 20 minutes. Most of the gadgets suffered from weak password policies; but collectively, there's a long list of issues, including open ports, built-in backdoors, and lack of encryption.
Cameras were the worst offenders, according to Synack's report. Of the five tested, each suffered from multiple security issues. Two--D-Link's DCS-2132L--and Foscam's FI9826W--were dinged for obfuscating rather than securing data in transit. Obfuscation involves masking data in any number of ways, like scrambling letters.Unlike encryption, however, obfuscated data doesn't require a security key to decode--prying eyes need only to figure out how the data was cloaked.
Think about that for a moment. There's an uncomfortable level of creepiness that comes from knowing a hacker could be using your cameras against you, whether it's to map out the times you come and go during the week, or to create a blueprint of possible entry and exit points by looking through your baby monitor. Ideally, Moore recommends all communication use bidirectional encryption.
The Control4 HC-250 system controller, sold only to custom installers, was knocked for a "history of unpatched security issues" and a "built-in unauthenticated remote management feature" (in other words, an insecure backdoor that a hacker could exploit).
It's not just about you
What's described above is a pretty sophisticated (and personal) level of attack that would require plenty of planning and a high level of risk, but it's not the only scenario. In this November blog post on hacking the home, Synack describes how a hacker can rather easily exploit seemingly trivial vulnerabilities and infiltrate thousands of IoT devices with less than a day's effort.
There's strength in numbers for whatever nefarious purposes the hacker might be cooking up, or he could simply dump the data online, revealing thousands of usernames and passwords. It's a headline that's played out multiple times each year, and as the IoT market grows, it gets closer to becoming a viable target for this kind of data harvesting. This is especially true if these devices don't start implementing better security measures, such as requiring stronger passwords.
Sign up for CIO Asia eNewsletters.