In an alarming experiment the BBC had seven hackers in the form of penetration testers test out the security of a “smart house” full of “smart” devices connected to the Internet of Things; devices like a net-connected oven, a Blu-ray DVD player, a wireless electrical outlet plug, a baby monitor, an Internet-viewable web cam and Sonos speakers to name but a few. The result – a security disaster waiting to happen, a “haunted house of hacking horrors.”
They were able to crack the security on every device. “With most of them, if you can connect to it you can own it,” said James Lyne, head of security research at Sophos.
Liam Hagan, a researcher from security firm Nettitude, said he was “shocked” at the poor job baby monitors and wi-fi cameras did to protect the pictures and sounds they were gathering. “One of the big issues is that one wi-fi video camera makes itself available to the internet regardless of your firewall,” he said. “Anyone who knows your IP address would be greeted with the login screen for the camera.”
The vulnerabilities in the device emerge from the very basic web server software it uses to post images online. That insecure software is currently being used by more than five million gadgets that are also already online.
More worryingly, he said, one wi-fi camera he tested had what is known as a “cross site scripting” vulnerability that lets an attacker inject their own code on to the device. This, said Mr Hagan, could be used to turn the video camera into a sniffer that could look for what else was on the network and let an attacker “pivot” to other more interesting systems such as PCs, smartphones and tablets.
After scanning for and finding a wireless baby monitor, they installed a commercial app and then could remotely listen into the house. “We can take control of the Blu-ray player, make the television turn on, flash lights, and play spooky music through the house.” Thanks to security issues in the way a person signs up for a BMW i3 app, they could even steal the car.
Gaining control of these devices was likely to annoy people more than anything else, said Mr Ingram, but other work by the company had exposed a more worrying aspect.
“The one that people really get concerned about is the microphone on a smart TV,” he said. “We were able to bug a living room through it. That’s when the internet of things starts to spook people out,” he said. “when your stuff does more than you think it does or ever wanted it to.”
The “ridiculously easy” way it was possible to subvert many smart gadgets was likely to make them a candidate for attack in the near future.