David Aronoff

Top 5 IoT vulnerability exploits in the smart home [list]

We all know how important it is to safeguard our data. Data breaches can cost companies millions of dollars in loss and put individuals in a corner. Preventing data loss and keeping hackers at bay is important, but when it means your privacy at home can be affected by smartphone and IoT devices, it can be even more crucial to put safety first.

Here's our list of the top five most exploited vulnerabilities in home IoT devices.

The top exploited IoT vulnerabilities in smart homes

IoT vulnerability #1: Weak passwords

The number one top exploited vulnerability is weak, easily-guessed, or hardcoded and unencrypted passwords. After Mirai, the botnet that affected millions of Linux-running IoT devices, it’s amazing to see hardcoded passwords in IoT-device source code—but they still exist.

Any good security expert will tell you creating a unique, multi-character password is key to locking down your data from cybercriminals.

Here are our tips for creating a solid password:

  • Create a password with a minimum of 16 characters
  • Include two or more symbols (e.g. @#$%)
  • Include two or more numbers (e.g. 123456)
  • Exclude ambiguous characters ( { } [ ] ( ) / \ ' " ` ~ , ; : . < > )
  • Create a substantial password that can be recalled by memory using a mnemonic device
  • Use unique, individual passwords for each account or device

You should always enable 2 factor authentication whenever possible. This will allow a second layer of security to your devices and accounts.

Additionally, consider using a password manager that offers the ability to auto-generate unique passwords for each service and reminds you to change your passwords often. Weak and stale WiFi network passwords can compromise your entire home network, for example, so remembering to change them at least every six months can help to keep everything secure.

IoT vulnerability #2: Open or insecure network services

Open or insecure network services such as ports or guest networks can become a cybercriminal’s “in.” Guest networks allow bad actors to roam the network and scan for other available vulnerabilities, essentially working as a glass window to your network.

Besides guest networks, IoT devices can be susceptible to low-level hacking. When IoT vendors take open-source or reference-designed firmware without configuring or modifying basic templates, they often leave things such as Telnet, an application protocol that can be used to find open ports, and other services open for compromise as well. Making sure to check for these or get in contact with a security professional and closing off anything that doesn’t need to be left open can only help to guard your devices from these types of attacks.

It’s also important to find vulnerabilities in your network by checking to see if you already have compromised IoT devices. It’s very likely that your network might already have malware floating around, so using an app such as Minim can allow you to detect and mitigate problem devices with an appropriate response.

IoT vulnerability #3: Outdated IoT devices

IoT device owners often ignore emails or prompts warning them about security issues on devices that leave device software in compromised, out-of-date or even legacy versions. This is especially critical for gateway routers, which are often the focus of attacks.

The Krack (Key Reinstallation Attack) attacks against encrypted WiFi networks allowed hackers to gain usernames, passwords, credit card details, emails, and more. Without firmware updates, thousands of routers would still be at risk to this day. And router companies are often pushing monthly fixes out to protect home networks--so make sure to utilize these fixes and stay up to date with the latest protections.

IoT vulnerability #4: Off-brand IoT devices

The term "you get what you pay for" often rings true when it comes to IoT devices. Substandard “knock-off” or imitation IoT devices can leave your network compromised, collect data to relay back to its manufacturer, and become compromised much more easily than brand-name devices that have much stronger InfoSec teams behind their development.

Our advice? Save up to purchase the name-brand devices. They often come with extended warranties and excellent customer service and are far less prone to compromise when it comes to malware. Although the off-brand devices are cheaper, there’s a reason: it might be that they’re selling your data to make up for the price difference.

on brand IoT device example - Amazon smart speaker

Amazon smart speakers are a good example of branded devices that receive regular firmware updates.

IoT vulnerability #5: Poor physical security

One of the most overlooked aspects of security, the physical security of your IoT devices is just as important as keeping the software updated and locked down with a great password. Sometimes it’s hard to secure all of the IoT devices in a home because of their function (e.g. access points placed strategically for better signals, or the cable modem near the television). However, many devices that have WiFi or Ethernet capabilities are left open and available to become open doors for hackers.

WiFi-enabled home appliances such as washers, refrigerators, and TVs should be configured to be disabled when not in use so as not to leave a door open. And not only should IoT devices be placed throughout the home in strategically safe spots, but your home should remain locked to keep out intruders from walking inside to see what devices you own.

Like this blog?

Subscribe to our newsletter.