A home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week, an investigation by UK consumer champion Which? has found.
UK households now have more than 10 different connected devices on average, from televisions to thermostats. While these products can bring huge benefits and convenience for consumers, as homes become more connected they can become more of a potential target for hackers.
Which? set up a fake home and filled it with connected products bought from online marketplaces, ranging from smart TVs, printers and wireless security cameras, to more unusual gadgets such as Wi-Fi kettles. Researchers then connected them to the Internet, exposing them to online threats and malware created by real cybercriminals.
Working with cyber security specialists NCC Group and the Global Cyber Alliance, Which? looked for unique scanning attempts – a technique used to locate online devices that exists in a legal grey area and is a potential gateway used by hackers – and hacking attempts, which are a clear breach of the Computer Misuse Act.
The research team saw 1,017 unique scans or hacking attempts coming from all around the world in just the first week of testing, with at least 66 of these being for malicious purposes.
That figure rose to 12,807 unique scans or attack attempts against the home devices in the busiest week, including 2,435 specific attempts to maliciously log into the devices with a weak default username and password. That equates to 14 attempts every hour by real hackers to infiltrate the devices.
Most of the time, the basic security protections in the devices were able to block the attacks, but that was not always the case.
The most targeted devices in the testing were an Epson printer, an ieGeek branded wireless camera and a Yale smart home security system. All three devices were purchased from Amazon.
The ieGeek camera was easily hacked and compromised, allowing a genuine suspected hacker to access the video feed and spy on the testers. This is despite Amazon awarding the camera its influential ‘Amazon’s Choice’ endorsement, with more than 8,500 ratings on its site, two thirds (68 per cent) of which were five-star reviews. The device has now been taken down from Amazon at Which?’s request.
All real attacks against the printer and security system failed because they had reasonably strong default passwords in place. This does not mean they are unhackable, just that they have basic protections against the most common bulk attacks that plague smart homes. Most cybercriminals will not try again as it is not worth their time to attempt anything more sophisticated.
The most common reason to hack smart devices is to create botnets such as Mirai, which probe for new unsecure devices, such as routers, wireless cameras and connected printers coming online before forcing their way past weak default passwords. From there, the parasite can be used as a powerful hacking tool, such as in 2016 when it knocked Twitter, Amazon and other leading websites temporarily offline.
Based on Which?’s experiment, nearly all (97 per cent) attacks against smart devices are to add them into the sprawling Mirai botnet.
The hacking traffic comes from around the world, but the vast majority appears to originate from the USA, India, Russia, the Netherlands and China.
As soon as testers connected the home to the internet, they were being surveilled. As well as seeing the location where scans and attacks were coming from, Which? could also track the time of the attempts.
Which? found spikes of activity during the 9-6pm period of the typical UK working day. This suggests that criminals know this is when people will be using their devices, potentially for work during the pandemic, and so they have more chance of hitting a target.
While not all scanning activity is malicious, and some is even semi-legitimate, malicious hackers use port scanning to find weak and vulnerable devices to prey upon.
Which? believes it is vital that the government pushes forward with plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.
The Product Security and Telecommunications Infrastructure Bill, expected to be introduced in 2022, aims to regulate insecure connected products. Among its provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’, will be made illegal.
The consumer champion also wants to see online marketplaces and retailers given additional obligations for ensuring the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.
“While smart home gadgets and devices can bring huge benefits to our daily lives, consumers should be aware that some of these appliances are vulnerable to hackers and offer little or no security,” warns Kate Bevan, Which? Computing Editor. “There are a number of steps people can take to better protect their home, but hackers are growing increasingly sophisticated. Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”