Smart Home Cyber Security
According to Avast, Smart Homes can be hacked through password-protected Message Queuing Telemetry Transport (MQTT) servers, with MQTT being a messaging protocol dedicated to the Internet of Things and allowing systems to be connected. between them.
MQTT servers misconfigured — 49,000 of them are publicly visible globally due to poor protocol configuration. 32,000 of which are not password protected — can be hacked in many ways. In France, nearly 900 servers, not protected by passwords, would be concerned. This MQTT protocol is used to interconnect and control home connected devices, via hubs — physical devices that centralize and connect smart objects. “When it is implemented, individuals configure a server, usually located on a PC, or a mini-computer such as Raspberry Pi, on which devices connect and communicate,” he explains. Although the MQTT protocol itself is secure, serious protection issues may arise if it is not properly implemented and configured. Cybercriminals could indeed have full access to a home and know when homeowners, or occupants, are present, manipulate appliances for entertainment and housekeeping, as well as voice assistants; and see if smart doors and windows are open or closed. Sometimes hackers can even track a user, which can pose a serious threat to privacy and security, “he warns.
Martin Hron, a security researcher at Avast, explains the possibilities of exploiting poorly configured servers.
1. Cybercriminals first spot open and unprotected MQTT servers using the Shodan IoT search engine. Once connected, they are able to read the messages that have been transmitted with the MQTT protocol and can know if the windows and doors are open or if the lights are on or off, for example. In this particular case, Avast found that third parties could control the connected devices, or at least compromise the data by exploiting the MQTT protocol instead of the smart objects. Thus, an attacker would be able to send messages to the hub to open the door of a garage.
2. Even though an MQTT server is protected, Avast observed that the dashboard, used to control its control panel, sometimes runs on the same IP address as the MQTT server. Many individuals use default configurations, provided with the hub software, and are often not password protected. Which means that a hacker can access the entire dashboard and take control of any smart device in the house with ease.
3. Individuals can use tools and applications to create a smart home dashboard, based on MQTT, to control their connected devices, including the MQTT Dash app. Users have the option to publish the settings and configure using the dashboard to the MQTT server. Thus, it is very simple to reproduce these parameters on all the desired devices. Only if the server used is not secure, a cybercriminal can access the dashboard and hack your home.
4. Avast has also observed that MQTT servers can, in some cases, allow hackers to track the location of users because they typically focus on real-time data. Many are connected to a mobile application called OwnTracks. The latter gives individuals the opportunity to share their position with other people. It can also be used to enable connected devices to activate automatically, such as lamps, when the owners or occupants of the smart home come close. To do this, they must configure the application by connecting to an MQTT server and expose it to the Internet. During this process, users are not required to configure login information, which means anyone can connect to the server, including cybercriminals. They are then able to access a certain amount of information, such as the battery level of a device, location using latitude, longitude, and elevation points, as well as dates and hours of travel.
How to prevent cyber-attacks in Smart Homes
1. Have strong passwords
You must change passwords periodically. In this way, you avoid inconveniences and unnecessary risks. Each important account must have a separate password. In addition, these passwords must be a combination of numbers, letters, and special characters.
2. Two Factor Authentication
In the same way, you should activate security options, such as the authentication of two factors. This tool allows you to add a layer of greater security at the time of logging into your accounts. With this service in addition to the password, the user must enter other data to verify their identity.
3. Make a backup
It is necessary that your data is protected to prevent cyber-attacks by supporting your files daily. This is useful in case of loss of file. You can use an external hard drive or create a backup within the system itself.
4. Protect equipment with strong tools and keep them constantly updated
An appropriate antivirus should be chosen taking into account, in particular, each operating system and equipment. These programs must be updated periodically. Keeping up with necessary updates is vital to defend against a cyber-attack.
5. Hire specialized Smart Home professionals
Hire a set of professionals to install and check, periodically, the state of your devices. United Smart Tech can walk you through the setup and ways to update each device, if necessary. Our technicians will be able to determine the level of vulnerability before it is exploited.
6. Avoid visiting suspicious pages
Not all pages on the web are safe, so it is necessary to avoid visits to unknown sites in large companies. Sometimes, invitations to email or social networks arrive, accepting them could represent a risk. It is important to have a reliable firewall to prevent viruses and unauthorized persons from accessing your devices and information.
7. Do not allow outsiders to use your equipment
Do not give strangers access to your devices or passwords. For example, by customizing your home assistant you can prevent any persons in your home to ask for personal information or give them access to it.
8. Check the origin of the emails
A very common way to perform a cyber-attack on a Smart Home is to request information via email. Many times, the receiver does not take precautions and responds to unknown emails thinking it is coming from the manufacturer, rather than a cyber intruder. Providing a response can cause accidental verification that the email is active and provide a window for hackers to gain access to your email and connected devices or accounts.