Most off-the-shelf IoT devices carry 'frightening' security risks, warn researchers

Off-the-shelf connected devices, such as baby monitors, home security cameras, thermostats and doorbells are easily hackable, warn researchers at Ben-Gurion University.

They found that the majority of consumer devices are riddled with security flaws, making them easy targets for cyber criminals.

In an ongoing research project, the researchers are examining a range of IoT devices for security flaws. The research is focusing on technology that is intended for use in so-called smart homes.

After dissembling and reverse engineering a plethora of common internet-enabled devices, the researchers said that they "quickly uncovered serious security issues".

It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices

Dr. Yossi Oren, a senior lecturer in BGU's department of software and information systems engineering, said it is worrying how quickly attackers can compromise such devices.

"It is truly frightening how easily a criminal, voyeur or paedophile can take over these devices," he said.

"Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products."

When conducting a controlled experiment, the ethical hackers were able to bypass security mechanisms in a matter of minutes.

Omer Shwartz, a Ph.D. student working on the project, explained: "It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand.

"Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely."

Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely

The researchers said the main reason that hackers can compromise these devices is because they are "poorly secured". For instance, devices under the same brand often use the same default passwords.

Dr Oren said manufacturers need to "stop using easy, hard-coded passwords, to disable remote access capabilities, and to make it harder to get information from shared ports".

He explained: "It seems getting IoT products to market at an attractive price is often more important than securing them properly."

Ethical hackers were able to bypass security mechanisms in a matter of minutes

Yael Mathov, who also helped out on the project, said the threats far outweigh the benefits of connected devices at the moment.

"The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges," he said. 

He continued: "We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices."

Further reading

• Security

Government to demand 'security by design' in new measures to tackle IoT security

• 07 Mar 2018

• Security

Survey shows disconnect between IT and business leaders on IoT security

• 09 Nov 2017

• Security

US law makers to introduce IoT security legislation next week

• 04 Aug 2017

• Internet

ARM, Symantec and others create IoT security protocol

• 20 Jul 2016

• Strategy

Bruce Schneier: governments have a 'stark' lack of expertise in IoT security

• 09 Jun 2016

• Security

Lax IoT security could threaten lives

• 08 Jun 2016

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• security
• hackers
• iot
• Internet of Things
• Cyber crmininals
• Ben-Gurion University
• Yossi Oren