There are criminals out there looking to exploit smart thermostats and Wi-Fi cameras. Hackers can remotely disable a thermostat and demand a ransom to return it to working order, or gather sensitive information about its owner. It’s the risk of anything wireless and convenient. Cybersecurity researchers fight back by dissecting smart hardware and finding weaknesses for manufacturers to fix before the bad guys get wise. We asked a few of these researchers to assess whether some common smart appliances left their figurative doors unlocked.
Ryan Speers and Gene Chorba work at Ionic Security in Atlanta. The company specializes in encryption, intelligently scrambling data so that only the intended recipient can see the information. Its clients include the Department of Homeland Security, making Speers and Chorba overqualified but enthusiastic about assessing a Wi-Fi sous vide, a slow-cooking heating element. Within six hours of testing, they got in. “We saw unencrypted and unauthenticated data coming from the device,” Speers says. “That meant we could ‘sniff,’ or monitor its communication with the user.” With the right tools, they could potentially alter those commands, like a hacker bent on maliciously overcooking your steak. Getting that far would typically require the attacker to be physically within range of the Wi-Fi network running the device. The attacker could, however, trick the user into opening a shady email attachment and get remote access.
Next—to save him the time of duping us with an email scam—we gave the login information for our smart refrigerator app to Amir Abramovitch, head of research at CyIoT in Israel, where he works with huge banks we can’t mention here. From across the Atlantic, he ran the refrigerator’s app on his iPhone, then used software called Burp on his laptop to watch communication between the app and the refrigerator’s data centers—instructions like “change the temperature to 34 degrees.” “It’s a process called Man in the Middle,” he says. In this case, the refrigerator app sends information to the internet but it goes through his laptop first. “I could intercept the data,” he says, “then modify it.” Unlike the sous vide, the refrigerator’s transmissions were encrypted, which he worked around by finding a bug in the app. “If you could give me until the next issue, I could find the real weakness,” he says, “I really want to make it explode!”
Since these innocuous appliances wouldn’t be worth a criminal’s effort, the more likely danger is a distributed denial of service (DDoS) attack. In these attacks, criminals remotely take over millions of smart devices and instruct them to send requests to major websites. In 2016, it happened to a company called Dyn, temporarily shutting down sites like Amazon, Reddit, and Twitter. “Say you have a pipe that can handle five gallons per second. A DDoS attack takes water from fifty different places and sends it toward that pipe, overloading it with information,” says Zach Wikholm, a research developer and one of the first responders to the Dyn incident.
So, yes, smart devices are vulnerable, and they invite potential crime. But no need to buy only dumb devices. “The bad guys haven’t found out how to make money off this,” says Kevin Haley, director of security response at Norton by Symantec, the company that makes most of the world’s antivirus software. “Not yet.”