We’ve heard over and over again that the Internet of Things and the connection of devices poses security risks. While having your thermostat, lights, televisions, security cameras etc. hooked up to your smartphone may seem like the ultimate convenience, it can also pose serious risks to your privacy and safety.

A new report from the University of Edinburgh warns that devices managed remotely need better consumer protections against a variety of security risks. Researchers have suggested that manufacturers of smart devices should take steps to protect their users from design flaws, app weaknesses, and phishing schemes.

Edinburgh researchers presented the suggestions at the 2019 IEEE International Conference on Pervasive Computing and Communications in Kyoto, Japan in March.

Their research showed multiple flaws in the design of home systems that not only allow hackers to steal passwords and other private data, but also to interfere with the operation of smart devices. While a hacker turning on your lights in the middle of the night might not seem like a life or death situation, turning machines on at random times, overheating them, or spying through cameras can lead to both physical and emotional damage to victims.

When assessing the security of the popular Belkin WeMo, the researchers found that it contained design vulnerabilities that allowed hackers to access its controls over home WiFi networks.

The researchers were also able to use the app to connect a fake device to a smart home ecosystem, making it appear like a legitimate smart appliance in a person’s home. While a fake device might not seem like much of a threat, it poses a risk for phishing schemes in which users who log in and explore the fake device or allow it access to WiFi inadvertently can give hackers access to their passwords and account details.

While the Belkin WeMo isn’t the only smart home device with security issues, the company does have a history of security failures. In 2014, Carnegie Mellon’s CERT Coordinate Center found multiple vulnerabilities in the system, prompting warnings to unplug the devices when Belkin did not respond promptly (they have subsequently responded and patched those issues).

In 2016 HOTforSecurity, a blog run by security firm Bitdefender, announced another WeMo vulnerability when it found enough plain-text (non-encrypted) data to allow savvy hackers to reverse engineer device protections, though the company brushed it off, saying that devices were only vulnerable during initial set-up and that many other devices had the same vulnerabilities.

McAfee researchers reached out to Belkin in 2018 after discovering more security vulnerabilities that allowed hackers to turn devices on and off and overload switches. The most recent Belkin security advisory was issued shortly after, but merely stated that
“Wemo is aware of this vulnerability from Doug McKee AKA ‘fulmetalpackets’ and researchers at the McAfee Labs Advanced Threat Research. We have been working together to address the exploit and plan to release firmware in the coming month.”

The smart home market is forecasted to be worth over $40 billion by 2020, according to Statista, but other sources estimate double or triple the value. In the end, that valuation might depend on just how safe smart home companies can keep us.

According to Pete Staples, President and Co-Founder of Blue Clover Devices, in a post on Quora:

“While rapidly developing legislature is working to protect users, the regulatory system just can’t keep up with the tech industry’s rate of innovation. Ultimately, it’s up to users to decide how much they want to risk in this melee.”

So while the privacy news is bad (for now), the good news is you get to choose: convenience or security?

Avatar for Jessica Baron, PhD

Jessica Baron, PhD

I am a technology writer and tech ethics consultant whose work has appeared in international news and trade outlets. I have a PhD in History and Philosophy of Science and write about everything from future military weapons to advances in medicine.

Leave a comment

Your email address will not be published. Required fields are marked *