Amanda Maxwell

Oct 22nd 2018

Hacking Devices in the Not-So Smart Home


Does your refrigerator notice more than that you’re out of milk? Could your floor-cleaning robot be taking candid photos of your ankles? Is Alexa eavesdropping? Although smartphone security is everyone’s buzzword these days, hacking devices in the smart home could breach your personal security too. Being aware of vulnerabilities and staying current with security technology keeps your home a secure and private personal space.

Running a Smart Home

Home automation, or domotics, is more common these days, with smart appliances keeping your fridge stocked, your front door locked, and your garage door, lighting and heating systems synchronized with your movements. These autonomous, data-driven devices connect to the internet and make up a network known as the Internet of Things (IoT). According to analyst firm Gartner, 20.4 billion IoT devices will be deployed by 2020.

Putting this in context, ZDNet noted that IoT devices outnumbered the human population for the first time back in early 2017.

Smart Home Vulnerabilities Mean Hackers Run Wild

Cybersecurity experts from companies such as Kaspersky and TrendMicro regularly analyze threat risk. This is mainly to improve their own security products, but it’s also to alert manufacturers and consumers to vulnerabilities. Many of the problems involve the smart home hub.

The smart home hub is the central routing that controls home automation, connecting to and controlling each smart appliance. Once installed, it connects with internet and mobile apps that then relay instructions to each appliance. Unfortunately, hacking devices like these is relatively straightforward, meaning hackers can remotely access your smart home network.

Kaspersky found that simply knowing the serial number is enough “security” confirmation to send instructions to the hub in a modified configuration file. The file is transferred over unsecured HTTP, and no further confirmation is required, allowing enough access to control appliances.

Furthermore, SecureList found that vendor firmware is freely available online. After analyzing and modifying files here, hackers can gain remote access to send user requests that download hub archives. It’s possible to extract key information on passwords, IP addresses and phone numbers from these files.

After running simulations, even a smart light bulb could be a hacked device, revealing details for every Wi-Fi network used in its lifetime.

It Could Happen to You

Companies keeping tabs on cybersecurity have already logged vulnerabilities in common consumer smart appliances, including home assistants, light bulbs and robotic room cleaners.

An NBC report revealed that smart home accounts could be hacked or faked, allowing access via your robotic cleaner.

The Hacker News described a malicious app developed for a digital home assistant that keeps it listening long after you think it’s gone back to sleep. According to Wired, researchers created a new “applet” that stopped an Amazon Echo from responding to the “shouldEndSession” prompt, instead activating covert listening and recording. (This vulnerability has since been fixed.)

Motherboard reported on two other vulnerabilities, exploited through a mobile app and through intercepting radio signals used to control smart appliances. The mobile app weakness failed to deal securely with OAuth tokens; since old tokens were not revoked, hackers could potentially access hubs by extracting data in stolen smartphones. Recording and then playing back “open” and “close” radio signals allowed researchers to breach garage door security.

Threat Post revealed vulnerabilities in a smart home hub that allowed attacks via remote code execution (RCE) for hacking devices. Chaining a series of vulnerabilities together was enough for hackers to remotely acquire sensitive information and compromise security.

In all cases, the cybersecurity experts notified the appliance manufacturers ahead of revealing their results. These companies then took swift action to issue security technology upgrades and patches to protect customers and stop criminals hacking devices.

Protect Yourself: Keeping Your Smart Home Safe

There are some actions you can take to stop others from gaining access to your smart home and hacking devices.

  • Passwords: Choose a strong one and change the default password on each hub or device as soon as possible after purchase. Don’t forget to change your passwords regularly.
  • Don’t share your IP address or device serial numbers.
  • Stay up-to-date with security technology and firmware.
  • Buy from reputable suppliers and manufacturers who stay up-to-date with cybersecurity standards.
  • Don’t sell your smart bulbs. They might illuminate more than you want.

Northrop Grumman has job openings in areas of information security including industrial security, cyber security, systems administration, and more.