IoT Security Vulnerabilities: Quick fixes and realistic discussion about smart home security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Your car can explode with you inside. Should you be concerned?

👍︎︎ 8 👤︎︎ u/wookinpanub1 📅︎︎ Mar 13 2019 🗫︎ replies

I would have to argue the point that a (smart home) does not have to be connected to the internet. Therefore not hackable. Now yes IoT items must be online, and if you want remote access the that opens avenues of attack. I should work on 100% offline smart home for giggles.

👍︎︎ 2 👤︎︎ u/jaws35smith 📅︎︎ Mar 14 2019 🗫︎ replies

Captions

your smart home can be hacked and today on the hookup we're gonna figure out whether or not you should care it seems like every week I read about a new vulnerability in the so-called Internet of Things and the articles are usually written as if there's an eminent threat towards me and my family in this video we're gonna realistically consider the implications of the security vulnerabilities within the Internet of Things and decide whether or not you should remove all smart devices from your home our reaction to hearing that our smart homes can be hacked is often an understandable knee-jerk reaction where we consider the safety of both our families and our belongings you may have a mental image of someone pulling up to your house with their laptop and using a Wi-Fi D author to knock your cameras offline and then hacking your smart door lock using a replay attack to easily gain entry to your house and while this situation is certainly possible unless you're hiding government secrets in your house I think it's actually a pretty unlikely outcome a much easier way to gain access to a home without being identified is to put on a hood or a ski mask and then break a window with a hammer not only is it faster but you also don't need those pesky highly marketable computer science skills so if a hacker isn't going to break in and steal your TV or your prescription medicine why do they want to gain access to your network this was honestly a question that I had no real answer to so I contacted a former student of mine named Charlton whose active in the hacking community and a member of the University of Central Florida's hacking team i sat down with Charlton back in December for an interview and it was a fun an eye-opening experience I posted that interview in its entirety if you're interested in watching it but I'll cover the Cliff's Notes version in this video the link to the full interview is down in the description the answer to why someone would want to hack your network is expectedly that there isn't one single reason but the most common motivations for someone you don't know hacking into your network remotely are for mining cryptocurrency installing botnets for DDoS attacks and then good old fashioned havoc for the purpose of causing half under very rare circumstances you can become a victim of some sort of organized crime ring we're users of a very specific product like maybe a camera system are targeted because the criminals would have access to a feed that tells them your location what valuables you might have in your house and whether or not your home but those situations are probably few and far between so what devices on your network make you the most vulnerable in a recent report from the popular antivirus and security company Avast they determined that roughly 40% of connected homes are vulnerable to remote hacks and the most vulnerable devices listed on the report routers and Printers not exactly what you think about when someone says smart home so before we start talking about the security of your switches lights locks and hubs here are a few things that you can do right now to drastically increase the security of your home network and decrease the likelihood that you'll be hacked first and foremost you need to update the firmware on your router your router is the first line of defense preventing outside traffic from accessing your home network many popular router firmwares have known exploits that can be used by anybody with the ability to download a pre-written script and follow step-by-step instructions these exploits are usually quickly patched by the manufacturer but those patches require you to download and update the firmware on your router manually something that the majority of router owners have never done second when you log into your router to update the firmware if you use the password like administrator and password or root and pass your entire network is basically open to anyone that wants to access it this is the equivalent of locking your front door and then leaving the key under the doormat all someone has to do is check whether or not it's there and then the rest of your security measures become totally useless and the same is true for the rest of your passwords as well most of the hacking stories that we hear about in mainstream news are actually just people using compromised or insecure passwords if you aren't already it's time to start using a password manager to keep track of your passwords so you can use unique secure passwords for every site and device that you need to log into this video isn't sponsored by LastPass but it's a quality service and one that I can recommend even if you're not going to start using a password manager please make sure you never use or leave access to the default login and password on any of the devices that are connected to your network third while you're in your router you should also disable the option for UPnP UPnP you is a well-intentioned feature that allows a device on your network to request to have a port open for it this is really nice because something like your Xbox can ask your router to open port 30 74 to allow Xbox Live to function properly and all that happens automatically so you don't need to deal with port forwarding settings in your router unfortunately the UPnP service has been compromised and remains vulnerable in certain cases a hacker can remotely impersonate a local device and ask your router to open up a port using UPnP once that specific port is open a hacker can use different exploits that specifically target services on that port to increase their access to your network after disabling UPnP it's also a good idea to check out which ports have been forwarded in the past and keep in mind that you want to have as few forwarded ports as possible specifically if you see any of these ports forwarded and you don't know what they're for you should probably disable that forwarding rule if you've done everything I just mentioned your network is likely pretty secure and you're not going to be an easy target for a script Kitty hacker or a bot crawling the net looking for IP addresses with exploitable open ports it's the equivalent of locking your doors while you're away from home and not leaving your valuables in the front yard basically it keeps honest people honest and it directs the attention of opportunistic criminals elsewhere but make no mistake if a skilled hacker is motivated to penetrate your specific network there's almost nothing you can do to stop them and that's nothing new when it comes to home security we can install locks and alarms on our doors put bars in our windows and monitor our property with cameras but if someone really wants to gain access it's still not that hard bars can be cut with bolt cutters and angle grinders dead bolts are only as strong as the doorframe that they're attached to and cameras can pretty easily be disconnected or destroyed what's important for you is for you to evaluate your threat model and figure out what makes sense for you and you or situation a drug dealer in a rough neighborhood is more likely to be robbed than a middle-class family in a gated community and as such that drug dealer should probably be more security conscious and take more security measures if your home network contains sensitive and valuable data you should probably consider keeping that information on a different VLAN than your Internet of Things devices like your Smart TV your refrigerator and your lightbulbs on the other hand let's say you're like a high school teacher with nothing but family photos and YouTube footage on your network in that case even the worst case scenario of a full network breach while still undesirable is really not that big of a deal but you didn't come here to be put at ease so let's talk about all the nefarious things that bad actors with a smart device in your home could theoretically do from their remote servers most obviously if you have a connected device that has a microphone or a camera on it that microphone or camera could be activated remotely to allow a hacker to spy on you and eavesdrop on your conversations my tinfoil hat recommendation about these devices if you must have cameras in your house make sure that they're blocked from accessing the Internet and never expose your network cam reports to the outside world if you need to view the video feed remotely you can use a VPN to access your local network when you're away if you're using analog cameras make sure you also block the DVR from accessing the Internet and never open any of those ports for voice assistance like Amazon echo and Google home you should install as few third-party skills as possible and make sure that your passwords are secure Amazon and Google are still going to collect data about you but they also invest millions of dollars a year to keep their customer data safe and secure in order to avoid bad press so you can feel pretty confident in that so what about your smart bulbs switches and plugs the companies that sell these devices will collect data about your name location the email that you use to register and the use habits of that device and you may not like that they collect this data but that data doesn't really put you at any risk the more concerning thing is that the vast majority of these devices will allow a manufacturer to push firmware updates to those devices without your express consent and these firmware devices are there in order to improve security and functionality the problem comes when you realize that a company could easily push a malicious firmware update to their devices that would give them a tunnel into the rest of your network since you willingly give your IOT devices access to both your home network and the internet hacker or a malicious developer could easily use that device as an entry point into your network and then move through the rest of your network devices my tinfoil recommendation about these devices when it all possible you should try to run your own firmware on your switches lights and plugs if you're not writing your own firmware you should use firmware that is open source so you can look through the source code yourself to see if anything looks fishy if you're not able to write your own code or you don't know enough about coding to know if something is fishy then you should find someone who you trust who is capable of doing those things and hope that they don't let you down if it absolutely isn't possible for you to install your own firmware you should be sure to only buy devices from companies that you trust and if there's an option to control that device locally you should use that option and then block the device from accessing the Internet the point that I want to make in this video is simple smart homes and the Internet of Things can be hacked and putting those devices in your home does come with an increased security risk but the risk associated with these devices is less like bungee jumping in a third-world country and more like installing windows on the first floor of your house there's no question that installing windows decreases the physical security of your home but the quality of life increased from being able to see outside is well worth the added risk of a possible break-in in that same regard smart devices add convenience functionality and fun to our lives and may be worth the slightly increased risk of network penetration if you agree with the things I've said in this video hit the thumbs up button and let me know down in the comments if you think that what I said was terrible wrong and dangerous go ahead and hit dislike and let me know your perspective down in the comment section thank you to my wonderful patrons over at patreon for allowing me to make videos like this one that don't feature any specific products but instead let me dive into other interesting and relevant topics in the smart home community if you enjoyed this video please consider subscribing and as always thanks for watching the hook-up

Info

Channel: The Hook Up

Views: 81,581

Rating: 4.9415474 out of 5

Keywords: home assistant, hassio, home automation, hass.io, smart home, diy, electronics, arduino, esp8266, nodemcu, wemos d1, automation, hack, hacking, iot, security, cyber, virus, hacked, smart, vulnerability, vulnerabilites, router, firmware, update

Id: SHtjFSKBCn0

Channel Id: undefined

Length: 11min 14sec (674 seconds)

Published: Wed Mar 13 2019