Anyone can hack smart home devices. It can happen in as little as 30 minutes. Fast Company writer Jesus Diaz says that all you need is at least one finger to type the brand and model of whatever device you want to hack, and a connected web browser to put that information into Google. Within a few minutes, you will find a site or a forum post somewhere describing how to enter into that device using the manufacturer’s default administration user name and password.
This vulnerability was discovered by a team of researchers from Ben-Gurion University in Israel, led by Yossi Oren, who is in charge of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. The team analyzed 16 popular high- and low-end IoT devices, using different reverse-engineering techniques that show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to it. Diaz explains:
The team also discovered that you don’t need to do all that hacking yourself: Hackers everywhere use the same processes as soon as they hit the market, then they share the password information publicly. Like them and within seconds, Oren and his team had full access to all of the devices’ hardware capabilities, so they “were able to play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.”
Oren and his team give some recommendations if you really must use these type of devices: Buy them from reputable vendors, don’t buy them secondhand because they may already have malware installed, update firmware that patches security holes, and, perhaps the most important one, change the default password. This is, in the end, the way these researchers were able to get into all these devices.
Which brings us to a very basic question: Couldn’t this all be solved with a simple user experience design change? If the main security hole in thousands of millions of devices is the fact people leave the default user and password unchanged, couldn’t companies force buyers to set their own, making them create 16-character (or more) pass-phrases and full user names? It would only take one single screen at the beginning of the smart device’s setup process. People will not think this is weird. It’s just like when we create a user and a password the first time we turn on a new computer.
Read More