Smart homes can experience up to 12,000 attacks in a week

As feared, a new report from Which? shows that a modern smart home can experience as many as 12,000 cyberattacks in any given week. What challenges does the integration of IoT devices present, what did the Which? report show, and does this show that IoT devices are more harmful than good?

What challenges does IoT integration present?

As technology advances, the cost of older technology falls, which makes it easier to integrate into everyday devices. For example, the first electric motors would have only been found in large industrial equipment, but as the manufacturing cost fell, they eventually found their way into everyday domestic appliances. The same applies to semiconductors; the first ICs were only ever found in high-end scientific equipment, but now that modern semiconductor technology has come extraordinarily far, even the most basic devices in the home now have semiconductors.

Fast forward to 2022, and internet connectivity has also followed this trend thanks to the falling cost of semiconductors and the introduction of technologies such as System-on-Chips (SoCs). But while this has allowed any device to become internet-enabled, it has also introduced an enormous number of security vulnerabilities to those who own and operate IoT devices.

The reason for this originates from the first IoT devices, whereby engineers felt that the low number of devices and their simplicity made them benign (and thus uninteresting to hackers). While this may have been the case for the first IoT devices, the nature of data being gathered by devices, along with their increased numbers and lack of security measures, has made the IoT industry a prime target by hackers.

IoT devices are ideal for hackers to target for numerous reasons, including easy access to an internal network, spying, data theft, and ransomware. For example, an insecure IoT device can be remotely accessed to obtain network credentials (e.g., username and password), which can then be used on another device to gain access to a network.

To make matters worse, many IoT devices lack the ability to install new firmware updates meaning that vulnerabilities which are discovered can be difficult (if not impossible) to fix. Furthermore, users are rarely made aware of these vulnerabilities, which now sees millions of devices worldwide in active use that are vulnerable to attackers.

Which? report shows test smart home attacked 12,000 times in one week

Recently, Which? released a shocking report demonstrating the dangers common household IoT devices faced that showed 12,000 attacks in a week. In their demonstration, Which? created a fake smart home involving a network and numerous IoT devices, including TVs, thermostats, security systems, kettles, and other popular consumer IoT products. After configuring the setup, the researchers left the system alone for an extended period and monitored all network traffic.

During the testing period, it was observed that the smart home was attacked as many as 14 times per hour, with the attacks originating from Russia, China, India, the Netherlands, and the US. Fortunately, most of the attacks were repelled by the devices, but it was discovered that one smart camera was successfully breached, with the attacker having access to the camera.

Even though the smart home was attacked frequently, it should be understood that many of the attacks may have been performed by automated software. Considering that an attack on an IoT device will likely involve a set of specific instructions, it would be easier for a hacker to run a script that automatically probes individual networks for the presence of devices and open ports and, once found, launch an attack. Additionally, it is also not known if all of the attacks were purely malicious or a mixture of cybercriminals, spyware, and government agencies.

Are IoT devices worth it?

For a fake smart home, 12,000 attacks a week is far too many, even if most of these attacks were repelled. As such, one must wonder if IoT devices are worth having, as any device being successfully attacked could open a network to all kinds of damage. But even if we only enable internet connectivity on the most essential of devices, security risks still persist, which leads us to wonder how we can defend ourselves from such attacks?

All of these attacks are from inbound connections meaning that an attacker has to try and access the local network via the internet. As such, the first port of entry is a home router that bridges the internal network to their ISP. Thus, it is possible for all inbound connections that were not specifically initiated by an internal user to be outright blocked. For example, a browser forming a connection with a website is an outbound connection that eventually receives a response, and this would be allowed, but a random device trying to ping a message towards the router out of nowhere would be outright denied (some ISPs provide this feature by default).

If inbound connections are required (such as remote IoT operation or VPN access), then the next option is to ensure that ports are carefully restricted and routed correctly. For example, if numerous IoT devices exist on an internal network, then it could be prudent to have all of these devices connect to their own private network that routes all traffic to a firewall before having that data made available to the router. As such, an attack that gets into the separated IoT network will not have access to the larger network that connects to computers and laptops.

If the internal network to IoT devices is vulnerable to an attacker, then the firewall sitting between the router and the private IoT network may need to integrate a user system whereby only those with an authorised certificate can send information inside and out of the network. Additionally, the firewall could restrict precisely how data is shared inside the network (this is where device-to-device communication could be outright banned).

Overall, numerous security methods can be deployed to protect the many IoT devices making their way into homes. However, users should carefully ask themselves why they need an IoT device in the first place and if they are confident in their security setup.