Smart device vulnerabilities and securing against them | Kaspersky official blog
Credit to Author: Stan Kaminsky| Date: Mon, 13 Mar 2023 06:09:11 +0000
Intelligent features and internet connectivity are built into most television sets, baby monitors, and many other digital devices these days. Regardless of whether you use these smart features or not, smart devices produce security risks that you should know about and take steps to protect yourself against, while if you’re using plenty of the features of your smart home, securing its components is all the more critical. We’ve already published a separate article on planning a smart home, so here we’ll be focusing on security.
The biggest smart home risks
Networked home appliances produce several, essentially different types of risks:
- The devices share lots of data with the vendor on a regular basis. For example, your smart television is capable of identifying the content you’re watching — even if it’s on a flash drive or external player. Certain vendors make big bucks by spying on their customers. Even less sophisticated appliances, such as smart washing machines, collect and share data with their vendors.
- If your smart device is protected with a weak password, and still runs on its factory settings, which no one has changed, or contains operating system vulnerabilities, hackers can hijack the device. The consequences of this vary by device type. A smart washing machine can be shut down in the middle of a wash cycle as a kind of prank, whereas baby monitors can be abused for spying on the inhabitants of the house and even scaring them. A fully-featured smart home is susceptible to scenarios that are downright nasty — such as a blackout or heating shutdown.
- A hijacked smart device can be infected with malicious code and used for launching cyberattacks both on computers on the home network and devices on the broader Web. Powerful DDoS attacks are known to have been launched entirely from infected surveillance cameras. The owner of the infected gadget risks seeing their internet connection choked and getting onto various blacklists.
- If the level of security implemented by the vendor is insufficient, the data sent by the device can be found and published. Surveillance and peephole camera footage is sometimes stored in poorly protected cloud environments — free for anyone to watch.
Luckily for you, none of these horrors has to befall you — the risks can be significantly lessened.
What if you don’t need your home to be smart
An unutilized smart home is a fairly common situation. According to appliance vendor statistics, half of all IoT devices never see a network connection. The owners use them in the old-fashioned non-smart mode, without management via a mobile app or any of the other twenty-first-century luxuries. However, even a non-configured device like that produces security risks. It’s quite likely that it exposes a freely accessible, unsecured Wi-Fi access point or tries to connect to nearby phones via Bluetooth every now and then. In that case, someone, such as your neighbors, could assume control. Therefore, the minimum you need to do to “dumb down” your smart home appliances is review the user manual, open the settings, and turn off both Wi-Fi and Bluetooth connectivity.
There are devices that won’t let you do this or will turn Wi-Fi back on after a power interruption. This can be fixed with a trick that’s a bit challenging but gets the job done: changing your home Wi-Fi password temporarily, connecting the misbehaving device, and then changing the password again. The device will keep trying to connect using the invalid password, but it will be impossible to hack it by abusing the default settings.
General advice
Regardless of whether your smart home is centrally managed or composed of mismatched devices not connected to one another, they still need basic security.
- Make sure your Wi-Fi router is secured. Remember that your router is a part of the smart home system too. We’ve published several detailed guides to securing a home Wi-Fi system and configuring a router properly. The only thing we’d like to add is that home-router firmware is often found to contain vulnerabilities that are exploited for attacking home networks, so the set-and-forget approach doesn’t work here. Firmware updates need to be checked on a regular basis. Quality routers let you update their firmware right from the web interface management panel. If that’s not the case for you, visit the vendor’s website or contact your internet service provider to obtain a newer version of the firmware and follow the appropriate guide to install it. To wrap up this router adventure, check that the ability to manage the router from outside the home network is disabled in the settings. ISP employees may need it for troubleshooting sometimes, but it’s often turned on when it’s not needed, thus increasing cybersecurity risks.
- Check your network regularly to make sure there are no unauthorized devices connected to it. The handiest way to do this is by using a dedicated app. Kaspersky Premium can display a list of all devices connected to the network, and often also their vendors and protection status where available. It’s important that you keep track of your devices and remove extraneous ones, such as a refrigerator, which has no real need for a Wi-Fi connection — or a neighbor who hooked up to free Wi-Fi.
- Consider vendor reputation when purchasing a gadget. Every vendor suffers from vulnerabilities and defects, but while some are quick to fix their bugs and release updates, others will keep denying there’s a problem for as long as they can. According to a Kaspersky survey, 34% of users believe that choosing a trusted vendor is all that it takes to have a secure smart home. While that certainly lowers the risks, staying secure still requires other steps as well.
What if your smart home is built on Wi-Fi?
Do you have a bunch of smart devices that aren’t connected to one another, or are joined up with the help of Amazon Alexa or Apple Homekit? In that case, each device independently connects to the internet through Wi-Fi. This is the most complex scenario from a security standpoint, as the passwords, firmware, and vulnerabilities need to be tracked for each device individually. Unfortunately, setup details vary greatly between device types and vendors, so we have to limit ourselves to general recommendations.
- Set up a guest Wi-Fi network. Professionals call this “network segmentation”. Ideally, your home network should be split into three segments: home computers, guest devices, and smart home appliances. Many routers are not capable of such miracles, but you should at least have two segments: one for home devices and one for guests. This will keep visitors from reconfiguring your cameras and starting up the robot vacuum just for fun. It goes without saying that the segments must be secured with different Wi-Fi passwords, and the guest segment should have stricter security settings — such as client isolation, bandwidth limits, and so on. Confining IoT devices to a separate segment reduces associated risks. A hacker wouldn’t be able to attack a home computer from a hijacked IP camera. The reverse is true as well: an infected home computer wouldn’t be able to access a video camera. Open the router’s web-based management interface and review the Wi-Fi settings to follow this tip. If some of your appliances are connected via a cable, make sure that they’re located in the correct network segments by checking the other sections of the router settings.
- Set strong passwords. Open the settings for each device. This can sometimes be done though an official mobile app, and sometimes through a web interface. Set a long, unique password for each device by following the user manual. You can’t use the same password for all devices! To keep your ducks in a row, use a password manager. By the way, one is included with Kaspersky Premium, and it’s also available as a standalone app.
- Update the firmware. Do this for each of your devices that support firmware updates via an app or web interface, and repeat regularly.
- Check the online service settings. The same device may be able to operate in different modes — sending different amounts of information via the internet. For example, a robot vacuum cleaner may be allowed to upload a detailed cleanup pattern to the server — which means a map of your home — or it may not. A video peephole may be allowed to save to the server each photo or video of a visitor approaching your door that it identifies using a motion sensor, or it may just be allowed to display these when you press the button. Keep from overloading the vendor cloud storage with unneeded information: disable unused features. And it’s better not to send to the server something that can be excluded from sharing without compromising the utility of the device.
- Follow updates on the vendors of devices you use. Sometimes, IoT devices are found to contain critical vulnerabilities or other issues, and their owners need to take action: update the firmware, enable or disable a certain feature, reset the password, delete an old cloud backup… Conscientious vendors typically maintain a section on their website where they publish security recommendations and newsletters, but these are often written in complex language and contain information on many devices that aren’t relevant to you. Therefore, it’s better to check for news about your devices from time to time and visit the official website if you find something alarming.
What if your smart home is centrally managed?
If your smart home is a centralized system, with most of the devices controlled by a hub, this makes the owner’s task somewhat easier. All of the above steps, such as setting a strong password, regularly updating the firmware and so on, mostly need to be performed on one device: the smart home controller. Enable two-factor authentication on the controller if possible.
We also recommend limiting internet access on the controller, for example by restricting data sharing with any computer except for vendor servers and devices on the home network. This can be done in the home-router settings. Some controllers are capable of functioning without any internet connection at all. If managing your smart home remotely isn’t critical for you, disconnecting the hub from the internet is a powerful security measure. This is no cure-all, as complex, multi-stage attacks will remain a threat, but at least the most common-or-garden attacks will be prevented.