We all know that IoT devices, such as smart lights and surveillance cameras, make your home more convenient, modern and connected. But, they also pose a lesser-known threat: these devices may make your personal data more susceptible to cyber hacks.
Network device hacks are a growing problem in the IoT industry. In fact, hacks reportedly increased by 600% between 2016 to 2017, according to Techrepublic.
As you might expect, low-cost IoT gadgets are the leading culprits. But, budget IoT devices are starting to represent some of the most commonly sold household products on the market. A recent experiment revealed that even amateur hackers could steal vital personal information from homeowners using their discarded IoT devices.
How hard is it for hackers to infiltrate that data? Maybe as simple as sifting through your trash.
Don’t Put Your IoT Devices in the Trash
Limited Results, a team of technology hobbyists, wanted to test the level of security in a common household smart bulb. Specifically, they wanted to know if their amateur team could hack the device after it had been unplugged and thrown away.
The team dismantled several smart light bulbs, even to the point of taking apart the circuit boards. The team then tampered with the dismantled devices to learn what data could be easily accessed. In other words, if a hacker found your smart bulb in the trash, what could they learn about you or your home?
In the case of each tested bulb, Limited Results found completely unencrypted data, and could even tell the WLAN password used by the prior user. One of the devices even revealed a private key for RSA encryption. This relatively simple experiment conveys something potentially terrifying about smart tech: if a hacker finds your old smart bulb in a trashcan, they may be able to access important personal data.
You don’t even have to be an expert hacker to extract useful information out of these old devices. In fact, according to the experimenters, the tested bulbs were so poorly programmed that it was simple for reasonably experienced people to access sensitive information.
The fact that smart home devices have security problems isn’t news. In fact, this problem has been known for years in the IoT industry. Limited Results simply confirmed that an old problem continues to persist in the latest and most commonly used IoT technology.
With data controversies already rampant in the news, hopefully IoT manufacturers start paying closer attention to these mounting problems of data insecurity. In the meantime, organizations like the Open Web Application Security Project (OWASP) are helping to raise awareness about certain products consumers should be particularly aware of.
OWASP compiled a list of 10 points for the past year that represents the greatest dangers to IoT networks and devices.
Top 10 IoT Device Vulnerabilities
- Weak Guessable or Hardcoded Passwords
- Insecure Network Services
- Insecure Ecosystem Interfaces
- Lack of Secure Update Mechanism
- Use of Insecure or Outdated Components
- Insufficient Privacy Protection
- Insecure Data Transfer and Storage
- Lack of Device Management
- Insecure Default Settings
- Lack of Physical Hardening
Fortunately, progress towards better IoT security is being made. In 2018, a law was passed in California to regulate the security of networked devices. Starting in 2020, manufactures will no longer be permitted to deliver devices with “generic default credentials” that hackers can easily guess.
Regarding the study: before Limited Results published its findings this year, the device manufacturer was notified and improved its encryption. In other words, the device is supposedly not as easy to hack as it used to be.
Hopefully, stories like this help nudge the IoT industry as a whole toward stronger security. Otherwise, we’ll have to keep crawling along, one device or state at a time.