Is Smart Home Security Easily Hacked in 2024? Here’s Everything You Should Know

0

Start researching smart home security topics on the internet, and you quickly run into articles on smart home hacking. It’s an unpleasant consideration: What if your new (and often expensive) smart home device gets hacked by a stranger? What could they do with it?

It’s easy to see how smart home hacking can be a hot-button topic or even a source of fearmongering for the sake of clicks. That’s led to a lot of “advice” articles and news stories that are neither clear nor honest about the risks of home security hacks and how they happen.

At CNET, we want to equip you with accurate, real-world information you can use to pick the best home security devices and keep your home safe. That also means understanding what smart home hacking really is, where it’s likely to come from and how you can protect your devices. The good news is that your smart home tech is probably safer than you think, but let’s take a deeper look.

How can smart home devices be hacked?

A finger reaches out to touch a lock icon on a blue screen. A finger reaches out to touch a lock icon on a blue screen.

Smart home hacking has several sources, some more common than others.

Oscar Wong/Moment via Getty

Let’s cover a few important points: “Hackers” or to be specific, cybercriminals are (almost never) driving around scanning for vulnerable smart homes using nefarious gadgets. Wi-Fi ranges don’t usually reach far enough for this to work and it takes a lot of time with little result. There are some reports of major companies like casinos being hacked via smart devices, but no one is trying to Ocean’s 11 residential homes.

Likewise, burglars interested in breaking into your house don’t have the software or equipment to try to hack a smart lock first. They simply try to break unguarded windows or check for unlocked doors. So how do smart homes get hacked? Here are potential avenues of attack and how they work (or don’t).

Widespread automated online attacks

These automatic online attacks from around the world that scan test nearly everything hooked up to the internet to see if accounts can be broken into, usually with brute-force password guesses that bombard devices with billions of various login attempts hoping one makes it through. Then the attack infects the device, adding it to a botnet for future cyberattacks or generalized data theft. A human cybercriminal rarely tries to seize control of your device. These mass online attacks are what created the often-cited Which? study about smart homes facing up to 12,000 hacking attempts per week (one succeeded, for an ieGeek camera).

This is an important reason to protect your account with updated passwords, but it doesn’t mean anyone is purposefully targeting your smart home or that device security is weak. Bots are only fishing for whatever basic login vulnerabilities it can find on any available online system or account.

Phishing messages

It’s not as common as other types of phishing, but some phishing emails or texts may pretend to come from your smart home security company. Giving them personal information like account logins or clicking their fake links (to malware designed to take over) may give cybercriminals access to devices they wouldn’t otherwise be able to reach. And even generalized phishing attempts may lead criminals to your Wi-Fi network, through which they may be able to find and control connected home security devices.

Company-based data breaches

In this case, cybercriminals use brute force and similar attacks to target servers and networks where IoT companies keep information about smart home users in databases, including account login details, personal info about location and addresses, and camera footage stored in the cloud. It’s a frequent target because data thieves can seize so much data at once, which is why you see headlines about major data breaches on a painfully frequent basis.

It’s unlikely that the stolen data will lead to smart home device hacking, but it can put your accounts at risk and some cybercriminals may try to use that data however they can, which we’ll get into more below.

Read moreA Record $12.5 Billion Lost to Internet Crime in 2023

Monitoring smart home data communications

As recently as the early 2020s, Internet of Things/smart home devices were found vulnerable to man-in-the-middle type attacks where criminals could spy on the data packets that smart devices were sending back to the internet. Smart devices send all kinds of data about their current settings and receive data back in return. With the right malware, a cybercriminal can monitor this data and try to change or block it, even if they can’t gain control in other ways.

In practice, this simply doesn’t happen. Criminals aren’t in a position to do this to a smart home. Even if they were, today’s smart home tech uses encryption practices and advanced protocols like Thread that make it useless. It’s an example of how scary-sounding vulnerabilities don’t actually make it into the real world.

Bluetooth malware

This type of malware, like the BlueBorne attacks, enters through a poorly secured internet connection and use Bluetooth capabilities to hack other devices, including phones and smart speakers. When these vulnerabilities became infamous in the late 2010s, companies quickly updated their security and Bluetooth encryption practices. We don’t currently see many Bluetooth-based vulnerabilities (although some briefly crop up), and like man-in-the-middle attacks, they don’t lead to smart home problems.

Who’s trying to hack your smart home?

A women looks a lock alert on her phone while at a gray table with a laptop and latte. A women looks a lock alert on her phone while at a gray table with a laptop and latte.

Smart home hackers aren’t always random people: They can be security employees and often someone you know personally.

Oscar Wong/Moment via Getty

If burglars use the physical kind of brute force and black hat hackers are usually busy elsewhere, who exactly is trying to hack smart homes these days? Let’s narrow it down to common culprits.

  • A relation or acquaintance: Lots of troublesome smart home “hacking” comes from relations, exes, estranged roommates and others that already know the smart device logins or otherwise had access. They use that previous access to spy or cause trouble on purpose. That’s a sign to update all login passwords and possibly file a police report.
  • An untrustworthy company employee: Many home security data breaches come right from the company itself, usually in the form of an employee who’s snooping through camera feeds like this ADT technician. As with interference from past acquaintances, little real hacking is required and the objective is usually more malicious or pervy than monetary.
  • Data thieves looking to sell: These thieves are trying to scoop up as much personal data as possible, anything from addresses to login info, so they can sell those lists in the shadier parts of the internet. This data can be passed along to others who may try to use this data for select hacking attempts or resell it. This is why it’s important to update your passwords when you’re notified of a security breach.
  • Potential blackmailers: The story goes that persistent cybercriminals attempt to seize control of smart home cameras and then threaten to do something unless you pay them. They may try to lock you out of your security system or claim they have compromising video of you. This is something of an urban myth: In most cases, people spam lies about a hack and hope someone will fall for it.
  • Foreign governments: Government-backed entities aren’t interested in spying on you personally, but they may want to collect as much information about other nations and their citizens’ behavior as possible. That can sometimes lead to hacking attempts or security backdoors: Fortunately, the FCC currently keeps a list of companies that are prohibited from selling security devices in the US because of this risk (other countries have similar lists), including Huawei, Dahua and ZTE. Check these lists before buying foreign home tech products.

A password page on the iPhone A password page on the iPhone

iOS 17 has a new feature that allows you to create a group to safely share passwords and passkeys with across their devices.

Nelson Aguilar/CNET

How do you protect against potential home security hacks?

As you can see, while highly targeted attacks aren’t a concern, smart homes are subject to broader hacking attempts. Fortunately, the vast majority of these attacks fail quickly when they encounter basic security practices. You can adopt several great habits to help your home security right now:

  1. Strong passwords: Long, complicated passwords for your smart device app accounts and especially your Wi-Fi router are your best move against botnets and online attackers. That doesn’t have to be a headache these days, especially if you enlist a good password manager that can generate a strong password and save it for you for quick access.
  2. Two-factor authentication (TFA) when possible: Always enable TFA if it’s available on a device. We’re seeing more and more brands, like Ring and Blink, automatically use TFA to secure accounts during setup, which is a great step in the right direction.
  3. Trusted brands with high-value encryption: Stick to trusted brands that use end-to-end encryption and similar measures to protect their devices and your data. Review security and privacy policies before making a final choice about a home security product. Arlo, for example, has healthy signs like penetration testing, third-party research, membership in the Connectivity Standards Alliance and details on their encryption practices.
  4. Local storage: If you’re worried about wide-scale data theft, look for security devices that allow you to keep data off the cloud and company servers, including Lorex, Eufy and TP-Link Tapo cameras. On that note, consider keeping security cameras away from more private areas like your bedroom.
  5. Updated smart devices: Keep your apps and firmware consistently updated to patch any problems. If you have a smart device that’s several years old or older, it may be time to consider replacing it with a new model that’s compatible with the latest protocols like Matter and Thread.
  6. Security news vigilance: Pay attention to your smart home security brands and if they face any security breaches, vulnerabilities or data theft. Stick with high-quality products from companies with a good track record. We’ll keep you updated at CNET Home Security if we find any serious problems with brand security and if we recommend companies that have run into problems, like Wyze’s repeated security errors giving strangers a view into other homes.


link

Leave a Reply

Your email address will not be published. Required fields are marked *