Investigating some of the latest Internet-of-Things (IoT) products, Kaspersky Lab researchers have discovered serious threats to the connected home—including a coffeemaker that exposes the homeowner’s Wi-Fi password, a baby video monitor that can be controlled by a malicious third party, and a smartphone-controlled home security system that can be fooled by a magnet.
The security firm’s investigation into the connected home discovered that almost all of the devices tested contained vulnerabilities.
The baby-monitor camera used in the experiment could allow a potential attacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed for the ability to collect owner passwords, and the experiment showed it was also possible for someone on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.
When researching the app-controlled coffeemakers, it was discovered that it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s entire Wi-Fi network.
On the other hand, Kaspersky Lab researchers found that the smartphone-controlled home security system’s software had just minor issues and was secure enough to resist a cyberattack. Instead, the vulnerability was found in one of the sensors used by the system.
The contact sensor used, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. During the experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window, allowing them to open and close a window without setting off the alarm. This vulnerability is also impossible to fix with a software update; the issue is in the design of the home security system itself. Furthermore, the magnetic field sensor-based devices are a common type of sensors, used by multiple home security systems on the market.
“Our experiment, reassuringly, has shown that vendors are considering cyber-security as they develop their IoT devices,” said Victor Alyushin, security researcher at Kaspersky Lab. “Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues—even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners.”
Kaspersky suggests that before rushing out to buy an IoT device, homeowners should do their due diligence and examine whether any security flaws have been reported in the media. They should also avoid the temptation of purchasing new products recently released on the market. And, when purchasing a baby monitor, it may be wise to choose the simplest RF-model on the market, one that is capable of transmitting only an audio signal, without internet connectivity.