Cybersecurity risks of smart devices

Many people don’t consider the risks that smart devices pose, and here’s why they should.

Connectivity is a pain point for many users working remotely. However, as employees return, it will be critical to equip them with the right tools to work from anywhere. As business justifications increase, the demand for 4G/5G-connected laptops and other devices will increase.

A “smart device” is any device that’s connected to the internet (or your home network), usually via Wi-Fi, and can communicate with one another. Examples include smart light bulbs that can be controlled from your phone, smart speakers like Amazon’s Alexa, and wearables like the Apple Watch. To operate efficiently and enhance their functionality over time, devices often need to collect data ranging from personal information to usage patterns, making their use more personalized to the user. As with any data collection, this provides ample opportunity for cybercriminals to exploit for malicious purposes.

Worse still, despite the risks associated with smart devices, users do not care about their security. According to Blackberry research, consumers generally do not prioritize security when choosing smart devices, and only 30% of employees who own smart devices say security is one of the top three factors they consider when purchasing a smart device.

The European Union's (EU) proposed Cyber ​​Resilience Act aims to address this issue and ensure that all devices "connected directly or indirectly to another device or a network", which would include everything from smart watches to smart fridges, would comply with a newly proposed set of cybersecurity standards.

Brands have plenty of reasons to comply, with the EU proposing fines of €15 million ($15 million) or up to 2.5% of their global turnover for failure to comply with the Cyber ​​Resilience Act, which would require manufacturers to report all known actively exploited vulnerabilities and incidents, and impose an obligation to provide regular security support and software updates to address new vulnerabilities.

Why do smart devices pose cybersecurity risks?

Using smart devices on an unsecured Wi-Fi network poses a significant security risk, as a malicious actor with access to a home network could potentially infiltrate and take control of all devices connected to that network. This vulnerability is particularly concerning due to the interconnected nature of smart devices, where one device can provide a gateway for the others. Any initial access could lead to unauthorized control, manipulation, or surveillance of a wide range of devices, including smart cameras, thermostats, and even home security systems.

Multiple serious vulnerabilities have been discovered in TP-Link's widely used smart light bulbs and their associated mobile apps, creating potential avenues for hackers to infiltrate and access connected Wi-Fi networks. The vulnerabilities could allow malicious actors to reach other endpoints in the network, potentially granting them access to sensitive data, or providing an opportunity to deploy various forms of malware and ransomware. Cybersecurity researchers from the University of Catania in Italy and University College London discovered four major vulnerabilities. The initial two vulnerabilities have a severity rating of 8.8 and 7.6, respectively, and they can be exploited to impersonate light bulbs on the network. Through this method, malicious actors can gain unauthorized access to the account details of Tapo users.

This information can be used to extract the target individual's Wi-Fi ssid and password. Other vulnerabilities can be used to launch a "replay attack" that an attacker can use to change the functionality of the light bulb. According to BleepingComputer, the researchers provided their findings to TP-Link, which subsequently acknowledged it and said it would release a patch soon.

All these risks are created through a relatively simple light bulb! In a fully automated "smart home", hackers usually have countless opportunities to infiltrate. It is revealed that smart devices may be subject to thousands of scans or hacker attacks in a week. In cooperation with the NCC Group and the Global Cyber ​​Alliance (GCA), a fake smart home was created in May 2021, filled with a series of smart devices, from TVs to thermostats, to smart home security systems and even smart kettles.

In the first week of testing, 1,017 different scans or hacking attempts were observed from around the world, of which at least 66 were malicious. The following month, the number of smart device scans increased significantly, with a total of 12,807 unique scans and attack attempts against smart devices within simulated smart homes. In addition to this, there were 2,435 special attempts at malicious logins, which attacked smart devices by using weak default usernames and passwords.

An estimated 97% of attacks against smart devices are aimed at enlisting them in the Mirai botnet. This widespread botnet system scans for vulnerable devices, using brute force attacks to identify those that are protected with weak passwords. Once such a device is found, Mirai installs a Trojan on it, effectively adding it to the botnet.

In another frustrating case study, in December 2022, cybersecurity researcher Matt Kune successfully turned a Google Home speaker into an eavesdropping device. Exploiting the vulnerability, an attacker could establish a "backdoor" account on the device while in wireless proximity, enabling it to send commands remotely over the internet, access the device's microphone feed, and execute arbitrary HTTP requests within the victim's local area network (LAN). This could expose Wi-Fi passwords or provide an attacker with direct access to the victim's other devices. Fortunately, these issues have been resolved.

How to protect your home network

Creating a strong digital security toolkit is important across all digital and smart devices, which are often connected through home Wi-Fi connections. Therefore, channels to reduce exploitation by malicious actors and protect individuals must be consistent and effective.

There are ways to increase your level of security, but first, you should think about the smart devices you actually want and will use. Rather than filling your home with a ton of connected Wi-Fi devices that you might only use for basic functions, focus on devices that align with your specific needs and preferences.

This approach ensures that your smart home setup is purposeful, fits your lifestyle, and avoids unnecessary clutter or complexity. By identifying devices that truly enhance your daily life, you can create a more streamlined and effective smart home experience.

Update Router Settings

If your router is several years old, then even if internet performance remains stable, the security of your connected devices may be at risk. Old routers often mean outdated security protocols, providing an easier access point for potential malicious actors. Keeping your router up to date is essential to maintaining a strong defense against cybersecurity threats and ensuring the safety of your connected devices.

When purchasing a new router, the next important step is to protect your Wi-Fi network with a strong password. Most routers, which often come with a model-specific SSID, may lack strong security measures and often use generic passwords such as "admin." This common practice makes it easy for hackers to gain unauthorized access to home Wi-Fi networks, and by extension, smart devices. To increase security, it's important to customize your router settings, including changing the SSID and implementing a strong, unique password to reduce the risk of unauthorized access and potential security breaches.

Next, update the firmware. Firmware is the underlying software that powers routers and other internet devices. Accessing a router's firmware provides the ability to customize settings, such as changing passwords and configuring various parameters. This level of control allows users to tailor device configurations to meet specific security and functional requirements. Configure the device to enable automatic firmware upgrades, but be aware of the potential risks of allowing automatic downloads from third-party servers.

While automatic updates can ensure that your device receives the latest security patches and improvements, it is important to weigh the potential security issues that may arise from getting updates from external sources. Consider the trustworthiness of the server and source providing the updates to minimize any associated risks. If you are not comfortable setting up automatic updates, set yourself a regular reminder to update manually.

Use a password manager

Password managers play a vital role in enhancing online security by generating strong and unique passwords for each account and securely storing login credentials. Using secure and unique passwords for each account mitigates the risk of catastrophic consequences if one account is compromised. Unlike using repetitive passwords or keeping a list of passwords in an accessible file, which could cause a domino effect if one account is hacked, password managers provide a safe and convenient solution. They help protect digital identities by promoting good password hygiene and minimizing the potential impact of a security breach on your overall online presence.

Enable multi-factor authentication

After setting and storing strong passwords, the next step is to enable multi-factor authentication. Multi-factor authentication (MFA) is a robust verification method that requires users to go through a multi-step login process to access a website or app.

This extra layer of security usually involves confirming the login attempt through various means, such as across different devices, push notifications or contact addresses. The National Cyber ​​Security Centre (NCSC) recommends implementing two-factor authentication for "high-value" accounts and all email addresses. The more accounts that incorporate this extra layer of security through 2FA, the stronger the overall defense against potential cyberattacks.

Email accounts often serve as a gateway for the password recovery process, and by protecting access to email accounts, individuals can significantly improve their cybersecurity posture and reduce the risk of unauthorized access to various online platforms. However, be aware of multi-factor authentication fatigue attacks, also known as MFA bombing or MFA spam, in which cybercriminals send spam authentication requests to a victim's email, phone, or registered device with the goal of forcing the victim to confirm their identity.

Split Wi-Fi Network

The FBI recommends separating Wi-Fi networks, advising consumers that "a refrigerator and a laptop should not be on the same network. Keep your most private, sensitive data isolated on a separate system from other IoT devices."

To reduce the risk of cyber threats, consider putting your devices on a separate network. Many routers support the creation of a secondary guest network, which can be designated for smart home devices. This not only optimizes bandwidth for general browsing and streaming, but also isolates IoT devices from the critical data you want to protect.

By adopting this strategy, even if one network is compromised, malware that infects smart home devices is less likely to spread and affect other devices on the main network. This adds an extra layer of security and containment to protect the main network from potential threats from the IoT ecosystem.