Introduction:
Reports from across the U.S. indicate an ever-increasing problem of hackers accessing the Wi-Fi/Internet enabled cameras from Nest and other IoT security/surveillance device companies. This author and others have many times warned this is likely to be the number one reason NOT to have a “connected home,” i.e.because of Internet related security problems. There have been well-publicized IoT hacks that took control of Internet-enabled trucks, cars, drones, and appliances. The IoT security protocols don’t seem to be robust enough to prevent such occurrences.
In a case reported by WPIX, a Nest camera purchased for the home was hacked by a stranger who tried to have a conversation with a five-year-old boy. The boy was accustomed to talking with his father via the Nest cam – a home monitoring system users can connect through their cell phones – on a daily basis after he returned home from school. But, on this particular occasion, a complete stranger was on the other end.
According to the mother, her son came running out of the playroom saying, “It’s not daddy talking to me. It’s not daddy.” When she walked into her child’s playroom, the ominous voice addressed her directly.
The frightened mother wondered how long a complete stranger was watching her family. Since this horrifying violation, the mother called the police, who were sympathetic, but said there was little (=nothing) they could do about the incident.
Now for a similar recent camera/speaker hack that was much worse:
Hacked WiFi Camera & Speaker Warn of fake North Korea Missile Attack on U.S.:
Last Sunday afternoon (January 20. 2019), Laura Lyons and her husband were at their home in Orinda, CA preparing dinner. Mrs. Lyons heard a loud squawking sound — similar to the beginning of an emergency broadcast alert, which was blasted from her living room. Then she heard a voice warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago, and Ohio.
“It warned that the United States had retaliated against Pyongyang, North Korea and that people in the affected areas had three hours to evacuate. It sounded completely legit, and it was loud and got our attention right off the bat. … It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on,” she said.
As their scared 8-year-old son crawled underneath the rug, the couple realized the apocalyptic warning came from their Nest security camera atop their living room television. As the frightening message repeated a second time, Lyons’ young son asked, “Mommy is there a missile coming?”
Lyons initially anticipated an Amber Alert warning, but the detailed nuclear war message claimed to be from Civil Defense and provided details down to the fact President Trump had been taken to a secure facility.
After many minutes and phone calls to 911 and to Nest (owned by Google), the couple learned they likely were the victims of a hacker. That panic turned to anger when they found out that Nest knew that there had been a number of such incidents — none involving nuclear strike scenarios — but failed to alert customers. Lyons said a Nest supervisor told them Sunday they likely were the victims of a “third-party hack” that gained access to their camera and its speakers. The company did not return a request for comment Monday by the San Jose Mercury News, which published this story.
After a few calls to Nest customer service, the Lyons’ were told they most likely were a victim of a hacker who accessed their data through a “third party data breach.”
“They (Nest) have a responsibility to let customers know if that is happening,” she said. “I want to let other people know this can happen to them.”
The Mercury reported that in December 2018, a Houston, TX couple rushed to their infant’s room when a hacker began screaming over the family’s Nest camera baby monitor that he was going to kidnap their child. The same month, a benevolent Canadian hacker began speaking to a Nest camera user in Arizona, warning him that his system was ripe for hacking and how to protect it.
Analysis and Opinion:
Adwait Nadkarni PhD, an assistant professor of computer science at the College of William & Mary, was a lead investigator in a December study on the vulnerability of Nest and related IoT security technology.
Nadkarni said the recycling of passwords for multiple online services is even more troubling now with the prevalence of in-home, WiFi-enabled devices that provide a hacker access inside someone’s property.
“If even one of the services is compromised, the attacker can use the password to gain access to everything else,” Nadkarni said. “I would definitely recommend using a password manager to use different passwords for all services and enabling 2-factor authentication.”
Our take is that the world of perpetually connected home devices is ultra-scary and problematic, especially if one uses a smart speaker (like this author has had for over 2 years) to control them. Many of these IoT connected devices are often unprotected by strong security and therefore easy to hack/control. I can envision a scenario where a hacked: connected oven blows up, a refrigerator/freezer is turned off so all the food in it spoils, a connected washing machine floods a house, etc. (Also, the smart speaker is a single point of failure and, from my experience with Amazon Echo/Alexa, has way too many WiFi and/or Internet outages).
Zombie bots are another huge threat for IoT connected home devices. They are now being used by hackers to take over connected devices to disseminate different types of malware, viruses, or spam to other Internet-connected gadgets and home appliances.
Once only used to take over computers, zombie bots as executed in the Mirai botnet attack, have expanded into the world of IoT connected devices.
“Massive botnets are used in distributed denial of service (DDoS) attacks, which are among the most intimidating types of attacks of which zombie botnet armies are capable. DDoS attacks are growing in number and severity; one report found that they’ve increased by 29% since Q2 2017, with the average attack size having increased by 543% to 26.37 Gbps.
The increase in DDoS attacks is attributed to large scale botnets comprised of insecure IoT devices. The adoption of IoT devices shows no signs of slowing down either. Today, there are currently 23.14 billion IoT devices worldwide. That number is predicted to approximately 75.44 billion by 2025.
New variations of the Mirai and Gafgyt botnets exploit vulnerabilities found in IoT devices, including the security flaw that led to the massive Equifax breach of 2017. Just this past month, a botnet by the name of Chalubo was discovered by security researchers. By targeting poorly-secured IoT devices and servers, the Chalubo botnet compromises users’ devices for the purpose of executing a DDoS attack. Researchers also found that this botnet had copied a few code snippets from Mirai, demonstrating that cybercriminals have realized how effective this type of attack is.”
Conclusions:
Much of the embedded firmware running in IoT devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data at risk. Hackers can launch DDoS attacks by infiltrating and leveraging thousands or millions of unsecured devices in homes all over the world.
One website that lists the five worst IoT hacking and vulnerabilities in recorded history is here.
This author would defer buying any connected home devices until these security problems are resolved. If you are inclined to do so, please follow the IoT connected smart home security tips from anti-virus companies like Norton.
Please share your experiences and opinions by submitting a comment in the box below this article. Thanks!
5 replies on “The Dangers of WiFi/Internet Enabled Cameras and the IoT Connected Home”
Thanks Alan for sharing. This sort of thing has always been a sort of nightmare, but now it is becoming reality. The scary thing is that it is a trusted brand, not some no-name device which is vulnerable. Combine this with reports of Ring engineers watching people’s surveillance camera videos and it paints a frightening picture.
The ironic thing is that people are paying to put a retail presence (or at least part of a retail presence) in their home when they purchase devices from Amazon. It is a brilliant strategy. What other things could be done with these cameras and sensors; how about identifying customers who have take out food delivery services and then targeting that group with ads from a competitor?
On a personal basis, I don’t have a dedicated device with ears, eyes or voice present in my house (granted, I have issues with multiple smart phones listening and sometimes talking back).
I also have a hub and about 35 connected recessed lights that sometimes “Poultergeist” (flash on/off for no apparent reason). They also don’t always seem to fire at the right time (a couple of times a month, a light won’t get the trigger from the hub to turn off at night). Am I concerned about this getting hacked; yes, but I can just disconnect the hub and I don’t think there will be much damage….
But, as you point out, as other appliances are connected, such as dishwashers and more, a hacker could start to do real damage.
What really scares me is that some day I might not have a choice to have listening devices, as we are starting to see MEMs microphones embedded in the most mundane products, such as light switches.
There are two problems with connected devices and you’ve only covered one. The other issue, and maybe the more severe is the privacy given up by the end user (usually unwittingly), when they agreed to the manufacturer’s terms and conditions when they originally put the device on their network. Smart TV’s may be the biggest offenders, but everything connected that can tell something about you, will. People don’t really realize that they may only used the devices a few hours per week, but they use them 24×7.
Good point. The metadata that the device collects could be more valuable to the device supplier than the actual direct revenue from selling or servicing a device.
the moment you buy something what is sync with wifi network, it is important to take care of network security, I bought nordvpn for my home security cameras, and it worked well and cost less than an insurance, so I think this is a little thing you can do to sleep well.
Great idea. I have interviewed a couple of companies that make similar products, such as Keezel
http://www.viodi.tv/2016/02/22/a-protector-for-accessing-the-digital-dark-alleys-of-the-internet/
The E-blocker interview was interesting, as the CEO demonstrated how, by making it look like your IP was from a different area, it is possible to receive different offers from merchants.
http://www.viodi.tv/2018/01/02/beyond-privacy-to-dollars-and-cents/