Two elements combined to make this article happen. The first was that October was Cybersecurity Awareness Month. Second, smack-dab in the middle of the month, the first trailer for the new Scream movie dropped. It contained a scene that had us a little concerned. See if you can spot it.
Obviously, we’re talking about the smart locks scene. All your locks in your home unlock, so you whip out your smartphone and re-lock them, only to see them all unlock again. The implication here is that Mr. Scary Killer person has hacked into their victim’s smart home account and can control all the devices throughout the home. Yikes.
As someone who doesn’t carry keys to his house because of all the smart locks, I was getting a little nervous. So I decided to talk to someone about it. I reached out to John Shier, senior security adviser at Sophos Home to talk about it. He gave me some good news and some bad news. I’ll start with the bad news.
Yes, this is possible. The good news is, it’s rather hard to do and the better news is, the chances of this happening to you are infinitesimal unless of course you also have someone who really wants to do you harm. But the honest truth is, there’s a good chance that enough of your data is out there that could make something like this possible.
LOLwut?
There are two things that combine to make this possible: Social engineering and data breaches. Separately, either of these can get an attacker enough information to hack your smart home. Together, it becomes even more possible. But you have to understand, when we say this is possible, we have to quickly caveat it by saying that it’s not very likely.
If you accept the idea of the movie that there’s a lot of planning and premeditation there, then this becomes a lot easier, which is to say it’s more plausible. The fact is, data breaches happen frequently and people often re-use email addresses and passwords for multiple services. Your password exposed from XYZ company (we’re not data-breach shaming here) could well be the same username and password that you use for your smart locks. Even if the password is different, the email address is a key piece of information toward other ways to hack your way in.
Before you ask, no, we’re not turning this into a “hack your way into your friends and family’s homes” tutorial. But suffice it to say that any information about you that has been exposed by one of these data breaches gets a potential wrong-doer a little bit closer to ultimately gaining access to your accounts. That can happen via social engineering or by using data exposed in breaches. Neither of which is trivial. “I think when we talk about IoT security at large, those are probably some of the biggest risks when it comes to having the devices fall out of your control,” Shier explained.
Social engineering relies on trickery which honestly may or may not work. If one decided to go this route, they have to be in a position where they can fool a user into giving up credentials. It was at this point in my conversation with Shier that I learned some surprising ways that one can easily set up a phishing site for that purpose. Again, this is not a tutorial, so I won’t repeat that here, but suffice it to say, sometimes the Internet just sucks.
The other route would involve sifting through millions of sets of credentials and finding a target, which depending on the breach may not be identifiable by name. A target might have the name John Doe, but their email address could be [email protected] and there may be no way to associate those two very incredibly disparate pieces of information.
Sites like haveIbeenpwned.com can let you know if your email address has been a part of a data breach anywhere, but they also have the reverse effect. An attacker could gain the email address of a potential victim and use that site to see what data breaches they have been part of. From there, you can go download the data from the breaches and try the usernames and passwords. That is to say, nothing of an attacker gaining access to a potential victim’s email address and just sending password resets.
“You’re more likely to be monetized than stalked. [Criminals] are more likely to want to get your banking credentials and your personal information [for] identity fraud than for mucking around with your lights and your door locks,” Shier said.
The point of all this is, it’s very possible, and the data is out there to do it, but the likelihood of it happening to a random person by a different random hacker is remote. There’s a lot of work that has to go into breaking into someone’s credentials for their smart home. But it’s far more likely that whatever data is lost during a data breach is going to be used for monetization, whether that’s selling the data or using the data for identity theft.
It’s incredibly unlikely that the end result of a hacker breaking into a company is going to be a scene from a horror movie. But I suppose I have to concede that it’s not zero. I should also mention that identity fraud is itself a scene from a much more nerdy horror movie, but it’s also pretty terrible if it happens to you.
Stay ahead of the game
That being said, there are things you can do to help protect your data and keep your smart home secure. Shier speaks of identity hygiene such as using different email addresses and passwords from every site out there. If your data gets out, the damage will be minimal. Using one of the best password managers is a great idea as is enabling two-factor authentication where possible.
Another thing that Shier points out was to be sure that any default accounts or passwords that might have shipped with your smart home device are removed or changed. Some devices ship with a default “admin/admin” as a username and password, and sometimes users will create their own account without removing the default. Similarly, they’ll create a new password of their own without having removed the built-in password. Hackers can easily find out what those default passwords are and attempt some hackery with that information.
Stick with name brands. Off-brand and/or smaller companies have a tendency to come and go, and may not consider implementing software updates as critical as some of the more known and trustworthy brands. If you have a device that hasn’t been updated in a while, consider reaching out to customer support and find out what’s up with that. Software development is an ongoing process.
Speaking of which, make sure to keep your smart home devices up to date. It’s not a bad idea to check for software updates periodically. Security vulnerabilities can crop up from time to time and more often than not they’re squashed quickly. But that only helps if you actually download and install the update.
So the good news is unless you have made someone really, really mad, you can continue to leave your house keys at home. Let’s be honest, if you’ve made them that mad, a regular deadbolt probably wouldn’t be much help anyway. But that’s not to say you can completely let your guard down. Be sure to regularly check for updates with your smart home technology, use password managers and 2FA, and most importantly, never, ever say, “I’ll be right back.”