The webcam hack by Russian attackers is merely a foreshadowing of what’s to come if consumers don’t secure their connected homes.
Late last night, news broke that Russian hackers had breached home webcams around the world and connected them to a live stream, which broadcast the contents on a website. The site’s administrator reportedly told Sky News that the stunt was aimed at drawing awareness to bad security practices. The victims involved all failed to update their webcam’s default password.
Security experts are not impressed. “Basic issue[s have] been known for years and years on baby cams,” Vincent Steckler, CEO of antivirus maker Avast, tells VentureBeat. Plus, consumers are also notorious for not updating default passwords. Some 63 percent of wireless routers run with default passwords, says Steckler.
What’s scary, says Steckler, is what will happen when consumers fail to secure their home networks and the many connected appliances therein.
As we bulk up on products like smart lights, thermostats, and others that connect to Wi-Fi, our networks will begin to look like those of small businesses. And unlike businesses, homes tent not to have the same cybersecurity resources. Each connected device can serve as a gateway into a home network.
You may be asking yourself, how much damage can a home-network hack do? For one, it can look a lot like last night’s Russian exploit, where users’ personal lives became unwittingly public. But there are still other potential hacks: For instance, Casey Ellis, CEO of bug bounty manager Bugcrowd, tells VentureBeat that a hacker could get into your connected light switch and flip the switch a hundred times per second, which aside from being annoying could potentially set a fire.
There’s also potential for hackers to use your wireless router to get into your computer network, though that’s a fairly endeavored effort. (It’s much easier to get access to a user’s network through an email phishing attack, for example.)
We could also easily see some broader Web attacks applied to the home network. Ellis says hackers can access a computer network, encrypt a user’s files, and then demand a financial sum in exchange for the key. Replicated in a home network setting, attackers could deny a victim access to their home network until they pay a fee.
Of course, there are also targeted attacks, which are less likely to occur. A particularly motivated black hat could access a specific home network for the purpose of robbing or spying by gathering data from the connected devices around the home.
And security may not be the top consideration for many smart home device makers.
If you look at Kickstarter’s technology section, you will see an amazing amount of smart home devices. One of the problems with smart devices from a security perspective, says Ellis, is that many of them start as projects in someone’s garage by people who are more concerned with building cool technology than they are the product’s potential vulnerabilities.
“Security is pretty much at the bottom of the list of things they’re thinking about, and it’s a difficult thing to build in retroactively,” says Ellis.
Ellis recently worked with home security maker HomeBoy to test its mettle and says subjecting a product to bug bounty program is a good way to know how secure it is on its own. However, secure products are only as good as the passwords that protect them. If consumers are failing to update default passwords, smart devices are still vulnerable.
“Consumers in general will take path of least resistance. The onus is on the manufacturers to make that path of least resistance as secure as possible,” says Ellis. An easy way to achieve this, he says, is by giving all products their own individual complex default password. Some companies, like Netgear, which makes home networking equipment, already do this.
Still others are looking to get consumers to take a more proactive approach. In October, antivirus firm Avast created security software for wireless routers that will alert users when the router’s default password hasn’t been updated and point to other vulnerabilities in their wireless network.
However, as incidents like yesterday’s prove, getting users to secure their routers may prove a difficult endeavor, because they’re still figuring out password protection.