Author: Johnty Mongan
From televisions to thermostats to doorbell security systems and even light bulbs, if a device is connected to the internet, it has the potential to be hacked. Astonishingly, in just a single week, a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world1.
Often, vendors will not be putting adequate cybersecurity safeguards in place—either due to additional costs, lack of security professionals or the desire to get a product to market quickly. However, another reason that hacking is so widespread is the increased availability of powerful and easy-to-use scanning tools which are capable of quickly providing intelligence about target machines and networks.
Not all scanning is malicious but for cybercriminals it’s all about finding vulnerabilities in devices to enable them to carry out their purpose—typically data theft or surveillance.
How do attackers gain access?
One of the most common techniques hackers use to gain access to devices and systems is port scanning. A port is a point on a computer where information exchange takes place between programs, the internet and computers/devices. Hackers use port scanning to discover open doors or weaknesses in a network that can be used to gain unauthorised access. It can provide information such as the services that are running, the users that own these services, which networks services require authentication and whether anonymous logins are allowed.
Hackers can also use scanning to reveal the IP (internet protocol) addresses and hostnames of devices connected to the network which can help attackers map the network topology and identify targets, determine what operating system and software is running on devices and discover their potential vulnerabilities, and identify user account information such as usernames and passwords.
Examples of vulnerabilities in smart devices within the home can include:
- Wi-Fi router: Most home routers also function as wireless access points and are usually supplied by your ISP (internet service provider). Hidden functions can allow your ISP to access your connected devices.
- Smart TV: With no encryption, your smart TV could be used to intercept onscreen payments, access files and discover other vulnerabilities.
- Voice-activated home automation device: If compromised, hackers can play their own voice commands or steal voice data as credentials for other voice command systems.
- Smart lock: If a smart lock on a door is compromised, hackers could gain control over who comes in or out of the house. This could mean letting intruders in or keeping legitimate residents out.
- Storage devices: Network-attached storage devices typically have weak default passwords. Once attackers gain access they could inject malware and infect other devices.
The cyber threat domino effect
In a connected smart home environment, when one device is compromised it can become a gateway to all other devices (and therefore data) connected to that same network.
For businesses that adopt a homeworking or hybrid environment, this can translate to a security issue for the organisation. If you have employees working from home and one of their personal devices gets hacked, the rest of the devices connected to the network also risk being compromised —including a company laptop if it does not have sufficient security controls.
What does the law do to protect consumers?
Two new pieces of legislation have been drawn up to improve the security of smart devices and help protect consumers: the Product Security and Telecommunications Infrastructure Act 2022, which became law in October 2022 and the European Cyber Resilience Act (CRA) which is still in the planning stages.
The Product Security and Telecommunications Infrastructure Act 2022 makes it a legal requirement for any companies producing or selling smart devices in the UK to ensure that they meet a basic standard of security. It outlines the duties of manufacturers, importers and distributors to comply with specified security requirements regarding UK consumer connectable products.
Similarly, the European Cyber Resilience Act (CRA) aims to ensure that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle.
How can you prevent your devices from being hacked?
The above legislation is still in its infancy and will take time to directly benefit consumers. In the meantime, there are things we can do to protect our home networks and data security.
Change default passwords: A weak default password is one of the easiest ways for a device to get hacked. Always change any password that comes with the product you buy, and change the default or weak passwords of products you already own. This can help to avoid unwanted access and attacks like brute force (a hacking method that uses trial and error to guess login details).
Change device settings: Make sure that the settings used by each device are aligned toward stronger security, and change the settings if this is not the case. Use Multi-factor Authentication (MFA) wherever it is available.
Run updates: Always install any security updates for the product or app so you have the most recent protections. Manufacturers must tell you how long your product will be supported with such updates when you buy it, as stated in the Product Security and Telecommunications Infrastructure Bill Act 2022.
Encrypt files: Consider encrypting important folders and files on a private network to restrict access to only those with the password/key. Once encryption is properly setup, even if your security software fails, a hacker would find it almost impossible to make use of encrypted data that might be exposed.
If there is one takeaway from all this, it’s that every connected device could be used as a stepping stone for a cyber-attack. While scanning by hackers cannot be prevented, it is possible to minimise the attack surface and reduce your chances of being hacked by adopting a proactive approach to cybersecurity. This is just as important in the home as it is in the workplace—and especially where the two meet in a hybrid working environment.
If you would to speak with one of our cyber risk specialists, please get in touch with the Cyber Risk Management team.