Many companies in the Internet of Things and smart home market are taking security seriously, Moore says. Specifically, Moore says Nest products, including the connected thermostat and the Dropcam camera, are very difficult to hack outside of a lab setting.
A lot of the lower-end smart home products, however, make it to the market rife with vulnerabilities. One example Moore cited was the Foscam camera, which is one of the least expensive on the market and which Moore says is "super prevalent."
"There are oftentimes directory traversal vulnerabilities that let you read out kernel memory and dump passwords and things like that," Moore says. "So essentially what that's saying is you can go out there, find someone's camera [on the] internet, and have remote access to it without knowing the credentials."
In another case, Moore says Synack researchers tested a smart home security system, the kind typically for sale at a "do-it-yourself kind of home store," and were able to disable it, enter the home, then re-activate the system again once they left.
"The alarm would never go off, and when the user came back it would appear that nothing happened," Moore says.
Moore says there is potential for hackers to start packaging attacks targeted at smart home products and distributing them on a wide scale. Although he hasn't seen it in the market yet, Moore says it is "very plausible" that attackers could begin selling pre-packaged smart home attacks on the black market, similarly to how some PC malware attacks are sold, enabling even the less-skilled criminal to exploit cybersecurity vulnerabilities in the smart home.
"One thing I have seen or have heard about is people out there scanning their local IP space and finding IP cameras within people's homes, garages, or outside their house, and being able to watch the inhabitants and see when they're home and deduce their pattern of life -- if you know someone's pattern of life, you know when they're not going to be home -- and using these cameras and intel to rob someone's house intelligently," Moore says. "So I certainly can perceive that someone can package up a very nice utility to go out there and look for cameras local to you and use it as a robbery tool."
Another potential distribution method is by altering the products themselves. If attackers can access the devices before they are sold -- by tampering with inventory or even by purchasing a connected camera and returning it to the store with malware pre-loaded onto it -- they will be able to control them as soon as the user installs them.
To test this approach, Moore says Synack researchers purchased several popular IP cameras, altered the hardware, and re-packaged them with a shrink wrapper they purchased on eBay. When they asked their co-workers around the office to distinguish between a brand new product and the one they had altered and re-packaged, they found that no one could see a difference, Moore says.
Sign up for CIO Asia eNewsletters.