Researchers from Ben-Gurion University of the Negev have found that smart home devices can be easily hacked and then used to spy on their users. Omer Shwartz et al. in their research paper analysed the practical security level of 16 popular IoT devices ranging from high-end to low-end manufacturers.
Amongst other things, they discovered that similar products under different brands share the same common default passwords. In some instances, the authors claimed that such passwords were found within minutes and sometimes simply by a web search for the brand. Devices in their study included baby monitors, home security and web cameras, doorbells, and thermostats. Using such devices in their lab, they were then able to for example, play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.
Exactly as I talked today in my PerCom’18 presentation in Greece, manufacturers should avoid using easy, hard-coded passwords, and should be held more accountable for their products and services. At the same time, the end-user as a countermeasure should try to change default passwords or to disable privileged accounts on the device. But, ultimately, security should never be an afterthought but bolted-in from the beginning of the development lifecycle.
In our work, we have identified hundreds of insecure smart connected cameras deployed on the Internet in different places in the world. Similarly, we observed that most of the vendors left their default passwords inside the devices, or had banner information with sensitive data, e.g., firmware version, ports numbers, manufacturer names, that can be used to compromise the security and privacy of householders, business owners, and more.