Who's hacking your smart home?

The market for smart home devices is tipped to explode over the next few years, but many consumers remain woefully ignorant of the threats such tech can incur.

It might come as a shock to many synth-pop fans out there but this year marks the passing of 37 years since the release of Electric Dreams. This 80s in extremis romcom introduced many to the concept of the connected or smart home, albeit one facilitated not by wireless IoT technology, but by an accidentally sentient pre-GUI computer.

While many cinema-goers at the time might have dismissed such possibilities as silly sci-fi fantasy at best, the fact remains that in the developed world at least smart homes are rapidly becoming a reality if not the norm. This is particularly so among members of the Millennial and Generation Z cohorts, with Finland's F-Secure reporting that extensive surveys conducted over several years show that the consumers most likely to purchase and deploy smart home technology "tend to be married Millennials in their 30s with college degrees, young children and a passion for filling their new homes with Internet-connected devices of all sorts."

Although such consumers are typically "better informed than their peers, explorative and in search of new technology offerings to try," they are certainly not alone in purchasing smart home gadgets and gizmos. 

Smart home market growth

"Increasingly focused on [purchasing] devices that have some functional use for the home," theses early adopters comprise the active vanguard of a global market that market research firms MarketsandMarkets (MandM) and Verified Market Research (VMR) expect, respectively, to be worth around $135.3 billion by 2025 and $207.9 billion by 2027. Based on MandM's 2020 market value of $78.3 billion and VMR's 2019 figure of $80.8 billion, this represents respective compound annual growth rates (CAGRs) of 11.6% and 13.5% over the periods in question. 

Moreover, in terms of physical units, the most recently published figures from the International Data Corporation's (IDC) Worldwide Quarterly Smart Home Device Tracker suggest that the global smart home market will total more than 1.4 billion worldwide shipments by the end of 2024. 

Furthermore, while some mid-2020 research suggested a slight retardation of the market from initial COVID-19-related economic worries, a new consumer survey conducted at the behest of Xiaomi implies that the massive fillip for digitalisation that the ongoing pandemic has delivered is very good for business indeed. "On average, consumers bought two new smart devices since March in response to being home more during the pandemic, with [Generation Z] consumers buying an average of three," a January press release states.

Moreover, with Parks Associates announcing new stats showing that smart home tech use has also "skyrocketed" among US seniors aged 65 and over, there is reason to believe that this pandemic-propagated push is anything but a blip. "Moving into 2021," Xiaomi states, "the adoption and integration of smart home technology will be a prevailing trend in home improvement as consumers look to smart devices as part of their long-term solutions. Increased time at home during COVID-19 drove significant changes and desires for how people lived in, interacted with and designed their homes, and smart home ecosystems provided a solution for the unprecedented changes of 2020."

Smart home security issues

Clearly, this is all great news for the makers and sellers of smart home tech, but it also raises serious questions of security and privacy. After all, as Georgios Kavallieratos, Nabin Chowdhury, Sokratis Katsikas, Vasileios Gkioulos and Stephen Wolthusen observed in a 2019 academic paper for Future Internet, the "dynamicity, along with the increased interconnectivity and enhanced operational features [of modern smart homes] increase the attack surface of such ecosystems." In other words, the more stuff you've got hooked up to the Internet, the more stuff there is for a black-hat hacker to hack.

This is particularly salient given that smart home devices, unlike desktops, laptops, smartphones and tablets, rarely feature anything in the way of endpoint security despite their generally always-on and always-online nature. Compounding this, many smart home devices often lack a screen or similar interface by which the user might otherwise observe anomalous activity occurring. They are also usually kept in unobtrusive or out-of-the way places which further hinder conscious monitoring.

Moreover, as Alessandro Agazzi of Bournemouth University notes in a 2020 paper, although smart home devices may "present cutting-edge features," they are "usually built with cheap hardware elements." Such cheap chips and firmware, Agazzi continues, "usually incorporate built-in vulnerabilities" that can be difficult if not impossible for users to spot and which may be "potentially exploitable" by bad actors sniffing around a home network.

Once compromised, a smart home device may not only be taken over and controlled by a malicious entity, but it may also be used as a gateway to the rest of home network and as a vector for attacking other devices that could then be co-opted into a botnet for the purposes of surreptitious crypto mining or the execution of a Distributed Denial of Service (DDoS) attack. Additionally, Palo Alto Networks states that 98% of all IoT device traffic is currently unencrypted, potentially providing an intruder with a feast of cleartext data. And given that COVID-19 has also led to a huge upswing in remote working, any sensitive data exposed will likely not be just personal in nature.

Likewise, as a recent class action against Amazon's Ring camera brand shows, hacked devices with a camera or microphone can also be used to spy on and abuse the user. Thus, a single unsecured smart home appliance could potentially lead to the user being subjected to a host of nefarious activities, ranging from mischief and mayhem to burglary, stalking and even home invasion.

Smart home threat ignorance

While F-Secure in its Connected Home Security report states that the majority of consumers are not only aware of smart home device privacy risks, but also "crave to secure all devices in their homes and are willing to pay for it," there is nevertheless evidence to suggest that ignorance remains rife. This past November, for instance, Comcast’s 2020 Xfinity Cyber Health Report revealed major gaps in the public understanding of common cyber threats.

For example, when asked seven true-or-false questions about basic cybersecurity matters, 96% of the 1,000 US consumers polled were unable to answer six correctly, with 42% getting three or more wrong. Furthermore, while the majority had heard of malware (65%) and phishing (53%), far fewer had heard of IP spoofing (34%), DDoSs (18%) and drive-by attacks (18%), with only a very slim number able to confidently explain what any of those terms actually mean.

Perhaps more worryingly, Comcast reports that 95% of respondents "grossly underestimated the volume of attacks they face each month": the average perceived amount of 12 such threats falling well below the figure of 104 indicated by the company's own security monitoring efforts. What's more, some 28% of respondents thought the figure was zero.

That said, respondents weren't massively out of step with Comcast's finding that the five most targeted systems on a typical home network are computers and laptops, followed by smart phones and tablets, networked cameras, networked storage devices, and streaming video devices. Nevertheless, the survey did discover a definite "disconnect between perception and reality when it comes to cyber-safe behaviour."

"A large majority (85%) of respondents indicated they are taking all the necessary security precautions needed to protect their home networks," Comcast states. "And yet, a clear majority of respondents (64%) admitted to behaviours that open themselves up to attack. For example, reusing passwords enables attackers to gain access to multiple personal accounts with a single stolen password, and sharing passwords increases the likelihood they can be stolen in the first place."

Top tips for a smart home

What then can the average smart home consumer do to secure their gadgetry from attack? Well, Comcast would no doubt argue that they make use of its xFi Advanced Security service, which  employs CUJO artificial intelligence (AI) and provides gateway security between the home network and the wider internet beyond. This may be very good advice for residents of North America, where Comcast operates and where Cisco expects the average number of networked devices per capita to reach 13.4 by 2023 (compared to a global average of 3.6 and figures of 9.4, 4 and 1.5 apiece for Western Europe, Asia-Pacific and the Middle East and Africa). However, it is certainly not the only measure that can be taken.

Cybernews pro tip

Data leaks and breaches are a common thing in this day and age. Learn how to minimize your footprint on the internet and stay secure.

Find a reliable VPN for Comcast

As well as urging the public to contact their Internet service providers (ISPs) to find out what sort of security services they can offer, Patti Loyack, Comcast's vice-president of connectivity services, also advocates using multifactor authentication wherever possible, such as a password in combination with one-time passcode sent to the user's phone, for instance. Likewise, she also advises users to enable auto updates when setting up a smart home device as such firmware updates often add new security features or patch holes and are thus critical to maintaining security.

With Verizon in 2019 calculating that email was used to deliver some 94% of all malware attacks, Loyack is probably not alone in recommending users err on the side of caution when clicking through their inboxes and particularly their spam folders. "Take a minute, review the email and be on guard for irregularities. If you have any suspicions, trust your instincts," she says. "Never click on unknown or suspicious links."

While some might also argue the merits of using a virtual private network (VPN), one important step that users anywhere can take right away is to make sure they set strong passwords, avoiding default, generic and easy-to-guess passwords that use pet names and birthdays and the like. "Keep in mind that a long, simple, easy-to- remember phrase is a better password than a short, complex one," Loyack says, adding: "You should always use unique passwords for sensitive sites like banking or investing, and even services like Netflix or Amazon that may store your personal and credit card information."

And if that all sounds too obvious for some, remember that it's not just neophyte newbs that can fall foul of such basic errors. For example, Gary McKinnon, the British hacker who gained unauthorised access to a host of US government, military and intelligence computers looking for evidence of extraterrestrial interaction, claims that many administrator passwords he encountered weren't just variants of “password123” but were instead left completely blank. 

Whether seeking to protect UFO secrets or your smart home toaster, though, just don't do what a friend of mine once did. After devising a particularly hard-to-crack yet easy-to-remember password, he became so consumed with pride that after a few drinks he began boasting about it at the bar. Admittedly, it was indeed a most fiendishly clever password, as we all agreed while writing it down and committing it to memory. Of course, that was before smartphones were big and smart homes a thing. These days should you do the same, you might quickly see your electric dreams turned to electric nightmares.

About the author: Brian Dixon is a freelance journalist and video editor with more than 20 years' experience covering business, tech and industrial beats for print and online publications in the UK, Poland and Sweden. A keen traveller, he has so far visited 75 countries on six continents. Pandemics permitting, he divides his time between the UK, Poland and Japan.