When you use your new ‘smart’ monitor to check on your sleeping baby at night, you may not be the only one peering into the crib.
Researchers announced Tuesday that they were able to crack into most ‘smart,’ internet-connected home devices easily, often within minutes.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” said Yossi Oren, a senior lecturer and head of the Implementation Security and Side-Channel Attacks Lab at Ben-Gurion University of the Negev in Israel.
“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” Oren wrote in a news release.
The researchers tested a number of products that connect to the web using the so-called “internet of things,” or IoT. These products include things like smart baby or pet monitors, security cameras, thermostats and more.
“It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” Omer Shwartz, a Ph.D. student and member of the security lab, said in the release. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
The lax security on smart devices has been of concern for some time. In October 2016, hacked home security cameras and DVRs dropped what they were doing and blasted a cyberattack on a critical part of the Internet’s infrastructure in the U.S., shutting down major sites like Netflix, Twitter and Amazon.
After the news got out, a product manager at The Atlantic launched an experiment by creating a fake server for what could have been any internet-connected device - in this case, an “internet toaster” - and seeing how long it took for it to be hacked.
About 300 different sources tried to hack the server within the next 12 hours. The first attempt came less than an hour after it was first switched on.
This latest research from BGU shows that the problem is growing. Hackers seem to be taking advantage of these loopholes to do more than just shut down websites. In Denmark, a woman who bought a security camera for her home taped a chilling video of the device turning on by itself and swiveling to face her as a man whispered through the speaker.
In another account, someone apparently took control of a baby monitor, made a comment about a baby’s diaper and told the nanny she should password protect her camera, reported WFMY.
The researchers had a few tips for how to prevent hackers from taking over your device.
One is perhaps the most important: Make sure you change your password for the device immediately: don’t stick with the default one that comes from the manufacturer.
Most people, the researchers say, never change the default password, so hackers already are coming through the door key-in-hand.
Update your device regularly, and don’t use the same password for multiple devices.
Only buy from reputable manufacturers and stores, and avoid buying used whenever possible, as malware may already be installed.
Oren, the lead author of the report, wrote that he hopes the burden of securing these devices will eventually fall to the manufacturer, not the consumer. “It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he wrote.
Co-researcher Yael Mathov agreed.
“We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices,” he wrote.