How the 'smart home' could allow your house to spy on you and be manipulated by hackers

Advice from the government aims to stop connected devices being abused as they flourish

Andrew Griffin
Sunday 28 October 2018 12:50 EDT
Comments
Everything from washing machines to fridges could be vulnerable
Everything from washing machines to fridges could be vulnerable (Tobias Schwarz/AFP/Getty)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

It’s the stuff of horror films: an intruder in your house, impossible to find but undeniably somewhere, watching you at your most private moments. Or perhaps it’s the plot of a thriller, where you are recruited into international crime without even knowing it, at the behest of smart criminals.

If the worst fears about the prevalence of weakly secured smart home gadgets materialise, those terrifying situations could become all too real. As we fill our homes with internet-enabled and smart devices, we are opening ourselves up to attacks that exploit houses themselves – and we might not even realise they are happening.

Everything from washing machines to baby monitors is being hooked up to the internet by companies convinced that features such as remote control and artificial intelligence will make our lives easier and safer. But they could also endanger the very people using them.

The government has now published a voluntary code of practice for manufacturers of smart home devices in an attempt to stop them being used for cyber crime by hackers and even nation states.

It shows just how real concerns have become that the increasing presence of connected devices around our home could be used against us. Their ease of use and the intimate part they play in our lives are what makes them such a valuable target.

The guidelines offer simple steps for manufacturers: making sure users’ data is securely stored and software and passwords are updated. Those are much the same as advice given to users to ensure their devices aren’t being hijacked.

But the guidelines also highlight just how difficult it can be to hook your home up to the internet without someone taking advantage of it. From the very beginning, the so-called internet of things has been teeming with both possibility and danger: a way to automate and control your life, powerful in the rights hands and potentially catastrophic in the wrong ones.

Buying the devices can be a difficult and overwhelming process – putting the phrase “smart home” into Amazon brings up more than 100,000 results, many of them from companies that few people are likely to have heard of. Choosing one is more comparable to deciding which lightbulb to buy than picking out a phone, despite the variety of ways that installing one inside of your house opens you up to attack.

That doesn’t mean that big brands are necessarily safe. A whole host of apparently trusted companies are rushing to update their traditional offerings: all the famous manufacturers of lightbulbs, locks and security alarms are working to introduce connected versions of the products they’re so famous for. But making real locks isn’t the same as making digital ones, and there’s no guarantee that even trusted brands will be able to protect your security.

“It’s such a new area of technology that there’s no hard or fast rules about who’s better or worse,” says Christopher Boyd, an analyst at Malwarebytes. “You might buy a no-brand device which works perfectly, or deploy a branded home security system which locks you in because the servers go down for emergency maintenance.

“Word of mouth carries quickly where cheap tech is concerned, so checking social media and news portals will often help to make an informed decision before buying.”

That becomes even more complicated when the companies you’re buying from don’t have much to do with security at all. In 2015, Mattel revealed the ‘Hello Barbie’ doll that could connect to the internet and speak back to its owner, just like Alexa or Siri. But she was insecure: hackers said they could easily get easy access to the audio files the doll had recorded and even listen in through the microphone.

In short, the advice is the same as with any other device: buy things that seem trustworthy, check out reviews, make sure that they are updated with the latest software and ensure that you’re watching out for signs that something untoward is happening. Be as vigilant as you can be, but know there is no such thing as ever being perfectly safe.

One of the most disconcerting things about smart home devices is that because they are designed to be ambient – fading into your home and not requiring much input – knowing when something is wrong can be hard. You might notice your computer is doing things you didn’t ask it to, or your phone slows down – but an internet-enabled baby monitor might be hijacked and used in a major cyber crime operation without you ever realising.

“It’s very difficult to establish if devices such as these have been compromised, and it’s a big problem in domestic abuse cases,” says Boyd. “Potential giveaways can include webcam lights switched on, or settings being switched on and off without warning.

“It may be impossible to establish if such behaviour is malicious or a malfunction so in all cases it’s best to exchange a device if possible and contact the manufacturer. You should also keep a detailed log of all odd activity.”

For the most part, attacks using smart home devices have not been about prying into people’s lives, or trying to catch them while they’re in their homes. Instead, they’ve been about turning those devices outwards: using them as a way of attacking other more important parts of the internet’s infrastructure.

The most famous example of this was in October 2016, when Dyn – a company few people have heard of but which helps run the infrastructure underlying the internet – experienced a huge attack against their systems. It broke the internet, bringing down some of the world’s biggest internet platforms and services including Amazon, Netflix, the BBC and Twitter.

After thorough investigations, the culprits were not found to be using computers tucked away in dingy basements with lines of inexplicable code, like in films. They were instead using a vast network of badly secured smart home devices –CCTV systems, baby monitors and other “internet of things” devices – and using them to flood Dyn with requests, causing its systems to become overwhelmed.

The attack was the result of failing to follow the most simple advice about the smart home: change your passwords. Smart home technology, especially that at the cheaper end of the market, often comes with default passwords that might even be just “password”. If they are unchanged, they are incredibly easy to break into.

But that might change – the Dyn attack was just the beginning, and hackers might turn our devices on ourselves. We are at the beginning of what’s expected to be a vast expansion of smart home devices around our homes – and the more of them there are, the more achievable and valuable attacks are going to be.

The current smart home market is something like smartphones in 2008 and 2009 – they were just catching on, and so was mobile malware, says David Emm, principal security researcher at Kaspersky Lab. But by 2011, the market had become more valuable and attacks “suddenly exponentially rocketed”, he says.

“It did so because for individuals and businesses, these became must-have devices. And it was no longer just about texts and calls but things like mobile banking. They hit a threshold where they became very valuable for attackers.”

We’re at the very beginning of that, he says, and not yet at the point where it is a “routine cyber criminal activity”. But that “gives us time to get things in order”, which he says is why initiatives such as the government’s code of practice can be such a useful thing.

The most extreme way to deal with all of this is to unplug entirely – and it’s important to remember that, at least until we have autonomous robot butlers, you’ll always have that option.

If you have reason to doubt that a device is secure, simply unplug it and put it away until you can be convinced otherwise by checking the manufacturers’ website or with authorities. If you are unlikely to ever trust it – for instance, you’ve bought some cheap technology that is inherently unsafe and isn’t being updated – get rid of it. No convenience is going to be worth the pain and distress that might be caused by a security failure.

But there’s a less extreme version of this too: if you don’t need a feature to be connected, then it’s best just not to use it.

“It’s really cool that a baby monitor can livestream a feed and that you can access it from anywhere,” says Emm. “But if in reality you’re not going to need to do that, then switch it off.

“If it’s not enabled, then it can’t be hacked.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in