‘Smart homes’ could experience more than 12,000 cyber-attacks in a single week, according to a new investigation by Which?
The consumer group partnered with NCC Group and the Global Cyber Alliance (GCA) to conduct the experiment, in which a home was filled with numerous IoT devices, including TVs, thermostats and smart security systems. They then analyzed the number of attempted hacks that took place over several weeks.
Which? revealed a “breathtaking” amount of hacks and unknown scanning attacks targeting these devices, rising to 12,807 unique scans/hacks during a single week in June. In this week, the most common method used was attempting to log in to the devices through weak default usernames and passwords, such as ‘admin.’ There was a total of 2435 specific attempts to maliciously log into devices in this way, equating to 14 per hour.
Encouragingly, most of the devices withstood the attacks, although a wireless camera from Amazon was hacked, which allowed a malicious actor to spy on the home. The device, the ieGeek security camera, has since been removed from sale from Amazon’s website following the study.
Surprisingly, an Epson printer was the most frequently targeted device in the house, but attacks failed as it had “reasonably strong default passwords in place.” According to the researchers, having unique default passwords also protected a Yale security system and a Samsung smart TV from attacks.
The analysis found that the hacking attempts took place from a range of locations across the world, with the vast majority originating from the USA, India, China and the Netherlands.
Which? commented: “While it was shocking to see how many hacking attempts were detected in our smart home, it was reassuring to see how many of them failed. But it’s important to shop carefully for any devices that can be connected to the internet, so you don’t put yourself at risk.”
The findings have come amid mounting concerns about the security of IoT devices, which are becoming increasingly prevalent in homes throughout the world.
In response to this, new security obligations have been imposed upon smart device manufacturers in many countries, including the UK. These include banning weak default passwords.
Commenting on the Which? investigation, Fennel Aurora, security advisor at F-Secure, said: “Unfortunately, these “spray and pray” attacks continue to be used because they are effective. For decades, and still today, we have seen the tried-and-true approach of sending a few million spam emails or scanning the whole internet for old and badly configured Windows machines – which remains extraordinarily profitable for attackers. As technology advances, the same approach is adapted to new targets, so for many years now we see the same technique of scanning for misconfigured cloud resources and vulnerable IoT devices, like in this instance.”