Jean-Baptiste Bres

Chief Information Security Officer

💡 Your Home under Cyber Attack

As Cyber Awareness Month is coming to an end and Halloween is almost upon us, I thought it would be a great time to share a few real cyber-horror stories, and how to protect yourself from them.

With an average of 22 connected devices per household, and over 440 millions smart devises in use in 2022, our homes are getting more and more connected in a number of different ways.

Connected lightbulbs, thermostats, security cameras and doorbells are the new normal in everyone’s life. Toys connect to the internet, cars come embedded with technology. Even dishwashers and coffee machines are now “smart” devices that you can control remotely, whenever and wherever you are. What we call the “Internet of Things” (IoT) is a booming market, with global spending on such products expected to reach $1.1 trillion next year.

Unfortunately, as for all things on the internet, if it is of value for you, it is very often of value for someone else. Hackers are already exploiting this new goldmine. In the first six months of 2021, 1.5 billion IoT cyberattacks were reported, with now more than 25% of all cyberattacks involving smart objects. As such, more and more stories emerges on how people got their privacy invaded or their life threatened because of their connected devices.

Horror Stories

YYoung kids are often scared by a lot of things. Monsters under their beds. Witches in their wardrobes. For a little 3 year-old boy in New-York city, it was the voice in the baby monitor. After complaining to his parents that he was afraid of the man talking over the monitor at night, the parents noticed some creepy message being delivered through the baby monitor. “Wake up little boy, daddy’s looking for you”.
Such stories are now so frequent that they hardly make the news anymore. Back in 2016, studies show that 8 in 10 baby monitors were subject to serious security flaws, and unfortunately things have not improved much since then.

Kid toys in general do not play well with the Internet. In 2017, CloudPets maker Spiral Toys recognised that the toys online capabilities were stored insecurely and accessible from the Internet. This included personal information related to 800,000 users, and 2.2 million voice recordings that kids have made using the toys.
Some hackers allegedly accessed and ransomed some of the parents whose kids info and voice recordings were breached.

Another creepy privacy-invasion story came into light earlier this year. A Texan man was arrested and pleaded guilty of accessing video feeds over 200 homes cameras. He connected to them 9,600 times over 4.5 years. The man admitted screening video feeds for women he found attractive, then watching them at home, undressing or having sex.

Winter in Finland can be quite cold. Average temperatures in the city of Lappeenranta in November is below freezing point. Definitively not a time you want to want your heater to stop working.
So imagine the surprise of the inhabitants of two of the city housing blocks when they realise their heating system have been turned down following a cyber attack. Following the attack, the system managing these appartments rebooted repeatedly and eventually shut down for more than a week. Fortunately there were no serious harm done in that instance, but it must have been quite a cold week for the people living there.

You might also remember that story from back in 2013: Two security researchers demonstrated how they could, quite easily, hack into a car. The journalist driving the Ford Escape they attacked experienced some unpleasant surprises, from the car horn blasting out of control, to the brakes turned inactive and the car stopping in the middle of a highway while driving at top speed.
While car manufacturers are now taking car hacking much more seriously, it is only a matter of time before what was then a simple demonstration become a real attack.

More recently, it was revealed that, through exploiting a vulnerability in some Ikea smart bulbs, hackers could turn on lights to their maximum brightness or make them flicker annoyingly for hours. No way for the poor victim to stop the attack, other than completely unplugging the lightbulb.
Smart lightbulbs are unfortunately known for their frequent security flaws. Back in 2019, it was found that a number of them were simply storing WiFi passwords unencrypted, making it an easy entry point for anyone to hack into the home network.

In a less scary - more funny story, Burger King hijacked people home digital assistants in one of its ads. By calling “O.K. Google, what is a Whooper?”, the devices started to display information about the famous burger. In your next Zoom meeting, just try to drop a “Hi Alexa, turn off the lights” or “Hey Siri, can you rap?” and see the faces of your correspondents. Priceless.

How to protect yourself?

Sadly, these stories are not isolated events. Implementing good security practices at home has become a necessity. Here are a few steps to consider to ensure some level of protection with your IoT devices.
  • Always change the default passwords. Most devices come with a default password that can easily be found on the Internet. So the first thing to do when adding a new device to your network is to replace their default password by a strong, robust one. Also, do not use the same password for all your devices. Consider a password manager to help you remembering them all.
  • Never publish device serial numbers on social media sites or product forums. And avoid mentioning make, model and version number of a device. While it is cool for all your friend to know what latest gadget you acquire, it is less fun to have it hacked simply because someone aware of a security flaw in it found out you were having one at home.
  • Keep your devices up to date. Install patches and update firmwares. Some devices do it automatically, for others, you sadly have to do it manually. Still, do it frequently. Also check vendor sites regularly for security alerts and known vulnerabilities.
  • Turn off functionalities you do not need. For example, with digital assistants, turn off voice input and use the voice remote instead. This will turn off wake words that could trigger malevolent skills. Use the press-and-hold talk button instead.
  • Connect smart devices to the Internet only if you have a good reason. I mean, do you need a to be able to start your coffee machine remotely?
  • Turn on the firewall on your home internet router. Most of them have the option, but very often, it is turned off by default.
  • Do your due diligence. Check the reviews before buying a product. What security capabilities does the product offer? Have the manufacturer been involve in breaches in the past? Do they provide security updates?
  • Always remember, cheap and no-brand devices are rarely secure. Saving a few dollars on a security camera is not worth it if your video feed end up all over the Internet.

This article is not legal or regulatory advice. You should seek independent advice on your legal and regulatory obligations. The views and opinions expressed in this article are solely those of the author. These views and opinions do not necessarily represent those of HSBC or its staff.