Smart Home Under Attack

POSTED BY Steffen Sorrell
There’s been a lot of press lately concerning the security of the Internet, much of which directly impacts the security of the ‘smart’ devices we connect inside our homes. Reports of a botnet involving at least one connected fridge were revealed in January, while earlier in April the widely used OpenSSL software library was shown to have a critical vulnerability allowing servers and applications using OpenSSL to leak memory contents. So, how best to protect the Smart Home from Black-Hats? The principle ingress point for most broadband connected homes is the residential gateway; today’s common ISP-supplied equipment combines within it a modem and router, along with powerful processors to manage other tasks such as QoS (Quality of Service). As our new report observes, an ever more pressing issue is that these devices are a honeypot for attackers: equipment is shipped with a default username and password enabled, and the hardware includes proprietary firmware elements that are no longer supported by the manufacturer, or are difficult to patch. While the emphasis in securing Internet-connected PCs has been to keep the OS (Operating System) up-to-date while installing antivirus software, the home gateway has been sadly neglected. I recently signed up to a new broadband supplier, and soon discovered that the default username and password to the gateway has been published by the ISP on the public Internet, with little encouragement to change the credentials to something a little more private. This is phenomenally bad practice. Most consumers see the home router as a plug-and-forget device; there must be measures put into place to reduce the attack surface that hackers are currently presented with. As it stands at the moment, the home gateway is prime fodder, and as such, can be exploited to capture any data flowing across the network and perhaps even send a few unwanted messages to that fridge.