Cyber pros avoid smart devices: there is a good reason


I liked the idea of a smart oven that starts roasting the turkey while I’m still at work. But cyber pros roasted me for not thinking about the consequences.

Almost all home appliances now include some kind of smart feature. Smart cameras that warn you about snoopers, smart locks that keep them away. You can remotely change your room temperature and lighting, start toasting or cooking, check your fridge contents, or vacuum the floor. Meanwhile, Alexa, Google, or Apple will control all Internet of Things (IoT) devices.

However, one particular group of specialists is really unwilling to embrace this evolution.

“IoT devices make me nervous because they have firmware that often is outdated or contains an unpatched vulnerability. It’s not unusual for patching or updating to fall to the bottom of the average homeowner’s priority list,” said Eder Ribeiro, senior cybersecurity program manager at Sontiq, a TransUnion company.

Each new smart device creates a new vulnerability at home by providing a fresh attack vector for attackers. And some devices could cause actual physical harm.

“Most IoT devices are very hackable, and manufacturers aren't making serious efforts to secure their devices against attacks,” said Roger Grimes, a data-driven defense evangelist at security awareness training company KnowBe4.

To him, the IoT market is analogous to the Wild West, where many vendors combine basic security levels with questionable firmware update practices and don’t even bother to provide contact information to report security weaknesses and bugs.

“I don't want them allowed any access to critical systems,” said Grimes.

Even digital assistants, while convenient, cause privacy concerns.

“Providers of these devices have admitted to retaining logs of the questions users ask and even recordings of audio when the device is not in use. If you value your privacy or work from home (especially if a job involves sensitive data), digital assistant devices are a potential threat,” Ribeiro said.

Cybernews asked security professionals which devices could cause the most harm if left connected and unchecked.

Amazon Alexa

1. Home safe – do you want hackers to know you have one?

Some home safes for storing valuables can be locked and unlocked with your phone and even notify you if they detect false access attempts. And they even come cheap. But is this a bargain worth chasing? Because for cybercriminals, it can act as a beacon, signaling where they can find treasure.

“The main item I would never want to be connected to the internet is a home safe. If a hacker knows the basic fact that you own a safe, it could create a potential threat to you and your family,” said Kobi Kalif, CEO and Co-Founder of cybersecurity developer ReasonLabs.

While it is possible to have a relatively safe system connected to the internet, many users won’t have it configured correctly.

“We must choose carefully what we enable these smart devices to do,” Kalif warned.

2. Smart ovens or stoves can burn your savings and your entire house

Almost all cyber pros mentioned microwaves and traditional ovens, stoves, and toasters as devices to keep offline.

“I think any device that has the potential for causing serious harm should be avoided. For example, I'm fine with my refrigerator being connected, although I suspect a hacker might be able to maliciously play with food sensors to let my food spoil. But I definitely don't want my oven connected until I know for sure that there's no way for a hacker to turn my oven on, heat it to a high temperature, and leave it on. Same with a toaster,” said Grimes.

He warns that such devices in the remote hands of malicious actors can physically harm the family. And the oven companies aren’t exactly proven to have the best security measures.

“These devices can create a ton of heat. If accessed by a bad actor, that ability could create a physical risk to the home and the people inside. Or such devices could be used by a cyberbully to annoy someone or raise their utility bills,” Ribeiro said.

Matthew Carr, Co-founder and CTO at cybersecurity risk assessment company Atumcell Group, also agrees and sees only minimal practical benefits the smart oven offers, but they increase the attack surface.

IOT devices, smart home concept

3. Smart security, baby cameras and smart doorbells

While all internet-connected devices have vulnerabilities, cameras have a terrible reputation for leaking private sensitive information, and, even worse, they can be entry points for hackers.

”For example, in 2020, over 50,000 home cameras were hacked, leading the footage to be posted online,” Kalif shared.

Homeowners appreciate the option to review recordings and provide the footage to law enforcement if something happens. However, according to Ribeiro, this functionality often requires device providers to keep footage on the cloud, giving bad actors direct and often live information about what happens in the home.

Even camera vendors cannot be trusted with private information that could be easily sold to marketing data brokers. Smart baby monitors are even worse.

“Strangers have been known to interact with children via cloud-based baby monitors. As a parent in cybersecurity and privacy, this is not a risk I take or would recommend anyone else take,” Ribeiro said.

Cybernews already reported that many IP camera owners have their devices exposed online and accessible to anyone.

4. Door locks and garage doors can break digitally

Smart locks and garage doors are both risky and useful to cyber pros. Physical vulnerabilities apply to all locks, but only smart locks are vulnerable to cyber threats.

Smart locks are “vulnerable to hacking and can compromise physical security,” warned Anurag Gurtu, CPO at StrikeReady.

Carr agrees: “These can be a risk if their security isn't robust, as they control physical access to your property.”

However, not everyone thinks that smart locks should be avoided.

“Smart locks provide real benefits. Being able to lock or unlock doors remotely can be very beneficial, especially with small children at home. Consider setting up a VPN to access these devices remotely. This way, you can easily add additional security measures, requiring MFA, to access what may otherwise be a very insecure IoT device,” argues Josh Amishav, Founder and CEO at Breachsense.

5. Devices with access to water, heating, electricity

Intelligent water systems, smart washing machines or dryers, and smart thermostats offer convenience and sometimes can significantly improve energy efficiency and comfort. There were some disagreements among cyber experts on whether it is best to use them.

“Smart thermostats can help homeowners save money on energy bills, and smart lights can be controlled remotely,” said Damir J. Brescic, CISO at Inversion6.

If properly protected, intelligent air conditioning and heating systems have shown their value in predicting when users want the temperatures to go up or down during the day and night.

However, Carr warned that those could also be exploited to infer when a house is empty, leading to significant losses or damages. He would keep washing machines and dryers offline as they offer limited benefits compared to the risks.

For users to decide before installing smart systems for water, energy, and even fire/gas detectors, Grimes offered an analogy with cars: car manufacturers make significant efforts to ensure that hackers cannot manipulate critical systems like brakes, speed, and the engine. However, any potential harm would be less severe if a hacker were to disrupt non-critical systems, such as the radio station.

“The same thing is needed for any device in your house that has the possibility of harming it,” he said.

Are smart fridges or vacuums OK?

No, but the risks are less significant.

Like any smart device, a smart refrigerator is just another endpoint that can be compromised by a bad actor. Once they make their way onto the network through the fridge, cybercriminals may be able to move across the network, eventually tapping into more sensitive devices, such as home or work-from-home computers,” Ribeiro said.

Robotic vacuums are unlikely to cause physical harm, except maybe to small pets. But they send virtual maps and other private information to the company behind the product or, worse, to attackers.

Other cyber pros would add wine fridges, coffee machines, connected children's toys, dishwashers, dryers, and other devices to the list of things that offer minimal practical benefit from internet connectivity but increase the attack surface and can lead to broader risks.

Separate computing devices, not only computers or phones but also smart TVs and other streaming devices, voice assistants, and home routers, should be highly secured and updated. Also, cyber pros advise checking privacy settings on what vendors collect and sell to third parties.

“There are too many to choose from, including our lights, air conditioning, refrigerators, washing machines, TVs, and more. Again, however, all of these need to have the proper security features in place to avoid potential information loss, data exposure, or safety incidents,” Kalif said.

How to protect your smart devices?

Protection starts with research before buying the device. While all IoT device providers are incentivized to safeguard their devices, it’s not necessarily their top business priority.

“Generally, I would avoid non-brand name manufacturers that are low-cost. Stick with the big-name brands, like Google and Amazon, who will update the devices with the latest security protocols,” said Chase Norlin, Founder of eSure.AI and a cybersecurity expert.

“Stay away from devices that do not have encryption capabilities or that do not have firmware updates or patches that may be more likely to be compromised,” Brescic added.

Looking for providers with assurances regarding privacy, security, and updates via contractual language is a good first step, according to Ribeiro.

“You want to be sure they will not retain or sell log data taken from your device or interactions with your device. A good VPN provider, for instance, will tell its users: No logs, ever,” he said.

The following step is to maintain proper cyber hygiene with strong credentials (never using default passwords, never reusing) and to enable multi-factor authentication.

“Make sure the software and operating systems for all devices are kept up-to-date, especially smartphones. People sometimes believe system updates make phones slower. They do not. They do help keep them safe,” Ribeiro said.

Matthew Carr then would suggest setting up network segments and separating all IoT devices from the main network to contain potential breaches.

A smart home hub could be considered as it allows smart devices to communicate with each other on the local network, reducing their need for internet access.

And finally, do what the cyber pros do – avoid smart devices altogether if there is really no need for them, and disable the features you don’t use.


SpaceX’s Starshield means Starlink has become a juggernaut

Vietnam Post exposes 1.2TB of data, including email addresses

OpenAI CEO Sam Altman asked to step down

North American grid regulator tests physical, cybersecurity preparedness

FTC unveils voice cloning challenge to combat AI fraud

Subscribe to our newsletter



Comments

James Draxler
prefix 6 months ago
It's easy to have both. Create a seperate vlan on your network and put all devices on there. If anyone does hack one they are only gaining access to a isolated lan that only has Internet access.
Frank Mechanic
prefix 6 months ago
Hackers don't scare me as much as the cloud firm itself deciding they don't want you as a customer any longer and shutting down access to all your devices, rendering them useless. Amazon comes to mind. The woker, the worse.
William
prefix 6 months ago
It needs to be an explicit assessment which many do not do. Especially when something could be life threatening if compromised.

I don't really care if my thermostat is compromised, but others things can be real threats. Cars, pace makers and other medical implants, door locks, cameras and other security devices, etc.
Adam Christensen
prefix 6 months ago
I am so tired of hearing this take. I do not care that the "professional opinion" is on IoT. Y'all can go live in a cave then. I'll be enjoying my smart switches and dimmers, thank you very much.
Kento
prefix 6 months ago
Avoiding a security risk by using analog dimmers is "living in a cave". Word.
Bill Thomas
prefix 6 months ago
Using that logic, don't buy a car either since they are IoT devices and could be exploited. And don't travel by plane, train or bus...there are literally dozens of IoT systems in most commercial aircrafts and vehicles. You can lower rhe risk of security issues with smart devices by keeping them updated and use complex passwords and change passwords frequently.
Leave a Reply

Your email address will not be published. Required fields are markedmarked