The UK has banned these default passwords and mandated basic security levels for connected products. And it’s backing these laws up with massive fines of up to £10 million ($13.3 million) or four percent of global revenue. According to the UK government, most people assume these devices are secure. But the opposite is true, with smart-device-equipped homes enduring over 12,000 attacks per week. “It’s almost mind-boggling how smart home devices have reverted to the late 90s or early 00s in terms of information security. So many devices make use of default credentials or insecure means of storing [WiFi passwords],” Jacob Ansari, chief information security officer of security and privacy compliance assessor at Schellman, told Lifewire via email. “Many of these devices get minimal support in terms of patches or security fixes, and often roll off the factory line with insecure configurations or default settings that are widely used by attackers.”
Security Hole
It’s easy to forget how many devices we have connected to our home networks. There are smart lights, door locks, security cameras, thermostats, and other home automation devices. But we also hook up our TVs, speakers, printers, and more. Many of these devices also offer an internet connection so you can log in to your security camera to check up on your home while you’re away, for example. Or a printer might open a connection to check for software updates. The problem is that these devices are accessible to anyone on the internet. Worse, they ship with default passwords like ‘1111’ or ‘password,’ making it simple for automated scans to find your devices and log in. The creepy part of this is that people can then look into your home via your cameras. The attacker is also inside your home network and can try to gain access to your computers, phones, and tablets. “When thinking about security for smart home devices, think about two categories of attack: compromising the devices to get access to your home network and compromising the devices to misuse them specifically,” says Ansari. “Attackers looking to monetize their attack against home users probably want to deploy ransomware or payment card capture malware on your computing devices with browsers and just use your smart devices as the means of access.”
Protect Yourself
While the UK’s new laws are welcome, they don’t apply to anything that’s already in your home—at least not yet. And while compliance with UK laws may cause vendors to just fix their insecure products for everyone, that’s still way in the future. So, how can you protect yourself and your friends and family right now? The first option is to not use smart home gadgets. That’s easy if you don’t care for automatic lights that are unreliable anyway. But it’s more challenging if you use a smart TV or other media device. “With so many tech toys around us, it is difficult to educate our friends and family on how to stay safe,” the security writer known only as the Password Professor told Lifewire via email. “Offering help is important. Some smart gadgets are not easy to configure, even when it comes to changing the default password.” But what kind of help? Step one is to change those default passwords. Usually, the manual that came with the device will tell you how. If not, it’s easy to Google for it. And once you’ve changed them, put the new, secure passwords into your password manager app, or write them down and put them in a safe place—and not in view of a security camera. Then, if you can, create a separate network, just for your smart devices. “In many cases, you can defend against these sorts of attacks by placing your smart devices on a separate wireless network from your PCs, mobile devices, and tablet,” says Ansari. The most crucial step is to be aware of the problem. Assume all devices are insecure and treat them as such. New laws are great, but nothing beats taking care of business yourself.