In a demonstration of how vulnerable everyday, off-the-shelf smart devices are, cyber researchers at Ben-Gurion University of the Negev (BGU) disassembled devices such as baby monitors and home security cameras to reveal the security issues underlying the devices.
"It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices," says Dr. Yossi Oren, a senior lecturer in BGU's Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. "Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products."
"It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand," says Omer Shwartz, a Ph.D. student and member of Dr. Oren's lab. "Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely."
One reason that hackers can “hijack” the devices with such ease is due in part to similar products under different brands sharing common default passwords.
Among the possible solutions to the issue recommended by Dr. Oren include urging manufacturers to stop using easy, hard-coded passwords, removing remote access capabilities and making it difficult for hackers to get information from shared ports.
"It seems getting IoT products to market at an attractive price is often more important than securing them properly," Dr. Oren said.
"The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges," says Yael Mathov, who also participated in the research. "We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices."
For more information, click here.