IoT Security: How to prevent your smart thermostat from joining a botnet

Although for many of us IoT presents an exciting new horizon to explore, this relatively new tech sector also opens up a great opportunity for hackers to wield their axe of destruction. While most computers and mobile devices now come with at least basic protocols and addons aimed at protecting us from exploits, billions of new IoT devices come into our lives without even basic means of protection.

Nevertheless, having an IoT gadget hacked can be equally detrimental as having a computer hacked. Today we’ll be looking at the most likely ways for hackers to try for access and how to prevent bad things from happening.

From the perspective of cyber attacks, a smart thermostat or a talking washing machine is no different than a computer. Any vulnerable device connected to your home or corporate network can serve as an entry point for a hacker.

Home Burglary Assistance

Although the latest generation of burglars have tried using their victims’ social media activities to work out their daily routine, you can’t say this was a scaleable tactic. Home automation, however, has potentially made this scaleable enough to attract interest from various shady individuals.

The concept at the core of the majority of home automation devices – starting with smart lightbulbs and ending with thermostats – is to work out their owner’s routine so that they can provide comfort and gratification according to when their humans arrive from work knackered expecting the soothingly green LEDs to be exactly on 55% power and their living room heated to no more no less than 72 degrees Fahrenheit.

So, technically, a hacked smart thermostat can send information about your arrivals and departures to its new “owner” who can in turn then collate this data to work out when is the best time to burgle the property.

Involuntary Taking Part in Attacks

Modern day IoT security threats can be divided into two groups – inbound, when hackers target you specifically to cause you damage, and outbound, when they don’t care much about the gains they could make from you.

In this case your smart devices can become members of a zombie botnet; and we’re talking huge botnets of potentially billions of zombie soldiers. In most cases such botnets are used to carry out Denial of Service (DDoS) attacks or alternatively as computing power to break passwords or mask the real location of the hackers.

Recently, it’s been difficult for hackers to scale their botnets because computers and mobile devices are getting protected by antivirus software and firewalls. IoT sector that lacks a unified and tested set of methods for protection is a great opportunity for them to build botnets in a previously unimaginable scale.

It’s no longer science fiction – a recent DDoS attack on a hosting company was carried out by hacking more than 140,000 IoT devices. This is a relatively small botnet. Considering the sheer number of home automation devices in use and with many more lined up for production, botnets can bloat to a size we’ve never experienced before.

How Hackers Gain Access to Your Smart Home

The most obvious way is by guessing a password. Do you remember the time when an IP camera came with a preset username/password that usually equalled root/1234. How many people did actually bother to change that password?

The funny thing is that a home security camera (I’m making an emphasis on the word “security”) is still one of the easiest entry points into your home network. Very few cameras come with a login lockdown meaning that hackers can try as many username/password combinations as they wish. And in most cases, they don’t have to try many before they’re in.

Other simple routes into your automated home can e a badly set-up wireless router or a stolen mobile phone. All three aforementioned issues can be easily fixed by applying strong passwords. For example, if an Android phone is stolen and it doesn’t have a password-enabled key lock, the thief will gain access to all the apps that are used to manage the various smart devices around your home. That’s all they need.

There are more intricate ways of gaining access, though. A rather famous security research company TrapX released an interesting piece of research showing how a smart home was hacked though a rooted Nest thermostat.

To pull this off, a hacker needs to have physical access to your Nest, so you wouldn’t be able to replicate this scenario with a shop-bought Nest device, however, if it was bought second hand on eBay or other shady sources, the device could have been “jailbroken” by installing software on its operational system or even the processor’s firmware.

The same goes for IoT devices bought from anywhere else apart from official sources. For example, if you buy an IoT kit or even a smart robot kit for your child off an unfamiliar website located thousands of miles across the ocean, you may receive a Trojan Horse with a vulnerability on-board.

How to Make IoT Devices More Secure

If you’re already running smart devices that can receive and transmit data, it’s time for you to scan your system for vulnerabilities. As with almost everything else these days, there is software for that too. You can try this one offered by Bullguard or if you’re concerned about your corporate IoT security, try RioT.

Although the IoT security industry is still very new, there are a few physical solutions for securing your automated home – two that spring to mind are Securifi Almond and Bitdefender – both of which are pieces of hardware that add an extra security layer to all your home devices. If you prefer a more virtual approach and don’t mind a bit of home DIY, try Home Assistant which will let you monitor your smart devices closely.

Some of the main security holes could be patched up by manufacturers committing to using internal data encryption. The reason why so many IoT devices come without data encryption on-board is that it impacts retail price to a point where it narrows the target audience too much.

If you were to encrypt data exchanged between a motion sensor and a smart thermostat, we’re instantly talking about more powerful processors, larger sizes and, of course, a knock-on effect on the retail price.

The industry needs to step up and develop a viable strategy for IoT security. Some of the manufacturers are clearly reluctant to do so as it would mean they’d have to hike the prices or take a cut in profits. While there is a shortage of professional security solutions, it’s up to the homeowners or business owners to make sure hooking up the next shiny smart device to their network doesn’t open a vulnerability.

About the author

— Lloyd Greenfield

Lloyd is the founder and CEO of Glow Green Ltd, a digital-first heating installation company based in England. You can follow the developments of home automation and modern heating industry on his blog or by joining on Twitter.

Just for you


Gear recommendations


Leave a comment