Trick or t(h)reat? Haunted House study reveals IoT risks at home

haunted

Sophos has launched ‘Project Haunted House’, a continuous attack analysis and assessment of smart homes over the period of several weeks. With the aim of raising awareness of responsible IoT device use, a virtual smart home, simulated for this purpose and including original control and network infrastructures, has been set up and will be used as a potential target for attack and left exposed on the Internet.

The final results of the research project will be published in November 2017, however, first interim numbers from the project have revealed more than 70,000 access attempts from 24,089 individual IPS to our virtual house. Therefore, a clear tendency is already evident: The Haunted House is definitely no Halloween one-timer but a valid danger for private smart homes – if not handled correctly.

To bolster these numbers and make a classification in the largest context possible, the project also includes active internet scans for smart home devices via search engines like Shodan or Censys. A scan beginning in October resulted in more than 68,365 open web-interfaces from well established smart home components globally, and 1,914 from the UK, which are primarily used in private households – such as wireless window contacts, smoke detectors, automatic door opening/locking systems, and camera systems.

All these devices were easily accessible without a password via the internet. The visualisation via heat maps is showing that the IoT technology is concentrated in cities and urban centres like London, Manchester and Birmingham while fading out into rural areas.

“The sheer numbers emphasise the importance of being cautious while building your smart home. Otherwise there is a growing chance that it won’t just be trick or treaters at your door this Halloween, but real life cyber gangsters that are looking for you money and data,” says James Burchell, security specialist.

Tips for a secure smart home:

  1. Keep your home networks exclusive – Don’t share it with others.
  2. Don’t connect IoT devices with your home network if it isn’t necessary – Your TV for example mustn’t be connected to WLAN if you are mainly watching TV via cable or antenna.
  3. Create a separate network for IoT devices – If your Wi-Fi router is able to create various networks (segmentation), you should implement a special network for IoT devices and thus interrupting access to your regular network
  4. Create various sealed off networks on different WLANs – It is even better to create various sealed off network areas for Home Office, entertainment electronics, building and security technique or the guest network – each with different WLANs. This can be enabled by a Firewall which is only allowing the communication that is necessary to use the components but not the infiltration of an infection from one IoT device to the other. You can install the Sophos UTM Home Edition Firewall for free on your PC.
  5. Use secure VPN technology – You shouldn’t use an insecure port forwarding on your router to get remote access to your IoT devices from the internet. Use a secure VPN on your smartphone or Mac/PC instead.
  6. Keep your software up to date – Install up to date AV software on all PCs, Macs and Android Smartphones. Free tools like Sophos Home orSophos Mobile Security are available at the Sophos website.
  7. Secure everything with the latest firmware – Not just PC, laptop and smartphones – but every IoT device needs to run with the most up to date firmware to be as secure as possible. This might be time consuming but is definitely worth the effort regarding security and privacy.
  8. Google is your friend – You might want to Google search potential security gaps of the IoT device you are going to use. This gives you a quick but good overview if the product of your choice is already a focus of hackers or even been hacked.

Tags: