Cybersecurity features have lagged way behind the allure of smart-home automation devices: time for manufacturers and end-users to wise up!
In a vivid demonstration of the vulnerability of home IoT devices, Singaporeans recently became the star of soft porn footage gleaned from hacked IP cameras in homes around the island.
From breastfeeding mothers to scenes compromising the modesty of ordinary people in their natural habitat, the stolen footages found their way into pornographic sites, labeled as originating from Singapore. A group apparently specializing in hacking IP cams was responsible, and its members on a messaging platform claimed to have shared more than 3TB of clips with paying subscribers.
To a lesser extent, people from Thailand, South Korea and Canada were also victimized by the hackings, reported to total 50,000 IP cams. An expert from Check Point Software had noted in the media that poor password management and software/firmware updates, and accessibility via centralized cloud services and exposed ports, were responsible for the vulnerability.
If it connects online, secure it!
Aaron Bugal, a global-solutions engineer at Sophos, advised: “When purchasing any smart device for your home, if it requires connectivity to your phone and in most cases to your local wireless network, there’s an almost certain chance that the device will use the internet to operate. Nowadays, lamps, air conditioners, lightbulbs, fridges, doorbells and even hot tubs are connected via the cloud to allow users to operate them even when they’re not at home. It’s time to associated the term ‘Smart Device’ as an internet-connected device and expect some risk with its use.”
Bugal said, when choosing to use a smart device, it is imperative to read and understand the marketing material and operating manual for your device. Usually these devices when first turned on require a helper application on a phone to be used to initially configure them. “Read all the guidance these apps offer and don’t skip any steps, especially when it comes to security. Change any default passwords; if they require you to update them please do so and if you need to sign up for yet another online service, use a strong and unique password. If they offer multi-factor authentication to manage your account please also enable this.”
Another commentator, IntSights CSO Etay Maor, elaborated on the sheer vulnerability of default IoT devices: “Attackers utilize the fact that these cameras use the default passwords that came with the model of device, and their device manuals that include the passwords can be found online. Also, close ports that you do not use, so that your information does not broadcast freely. Search engines like Shodan indexes IoT devices, and allow attackers to be very specific in their searches—for example, finding hospital security cameras in Singapore. Finally, patch your devices just like how you will patch your computers operating systems. Many ransomware attacks are on devices that are not properly patched and secured.”
Turn them off when unneeded
Maor said organizations usually take measures for securing their devices before using them, and monitor network traffic of the devices in use. However, home users have been adding more IoT devices to their homes without looking into the security features. “Users need to understand that similar to your banking applications or social media accounts, devices like the cameras at home need to have the same level of security hygiene,” especially if they are meant to be left operating 24/7.
For this, Bugal advised the public to reconsider the always-on nature of these gadgets: “If you currently have any form of audio and/or visual recording device within your living space, web cam, smart speaker, and so on—ask yourself, do I really need this turned on all the time? Then ensure you know how to manage the device: is it via an application on your phone or does it have a webpage accessible from the cloud? Log into these and look for a security or privacy configuration area: these will allow you to control if information recorded should be saved and where; and choose the option that best suits you.”
Additionally, password hygiene has to extend beyond the IP cam: if the use of the cloud is mandatory as with many of the newer devices, ensure your account for the cloud service is secured with a unique password (one that is not used with any other account) and if you have the option of turning on multi-factor authentication please do so. These steps will limit the ability of hackers logging into your account and stealing any recorded information.