How Worried Should You Be About Smart Home Security?

How Worried Should You Be About Smart Home Security?


[♪INTRO] One Friday in October 2016, a big chunk of
the Internet went missing. The internet company Dyn, which routes traffic
to Twitter, Netflix, and thousands of other sites, had been paralyzed by bogus requests
from hundreds of thousands of computers, all infected with a malicious software called
Mirai. But these weren’t any old computers. Many were webcams, smart light bulbs, fitness
trackers, and other everyday devices that connect to the internet. Collectively, they’re known as the Internet
of Things, or IoT. As these gadgets gain new abilities, like
how a wi-fi enabled doorbell might be able to unlock your front door, they also offer
fresh opportunities to cybercriminals. So just how worried should you be about that
smart toaster? And what can we do to make our stuff safer? Internet of Things gadgets are vulnerable
to the same takeovers as regular computers. But their access to the physical world can
make the consequences much bigger. For instance, if your livestreaming dog monitor
is hacked, your private data can be exposed — things like pictures of your family or
the layout of your house. Or someone could make your kid’s wi-fi enabled
talking teddy bear say anything. That’s pretty creepy, but it gets even scarier
when you replace the teddy bear with a home security system, a car, or a pacemaker. The damage isn’t limited to the thing that’s
been hacked, either. A lot of these devices, and sometimes even
your laptop, assume that they can trust other machines connected to your home wi-fi network. So if your smart water bottle is compromised,
the hacker might be able to send commands to the smart lock on your door, too. Now, there are also serious risks beyond individual
owners. The most common thing that hackers do with
their machine victims is weaponize them into botnets—armies of enslaved drones. Then, criminals can hide their nefarious activities
behind the normal internet traffic of thousands of machines. For example, in 2014, a massive botnet that
included TVs, routers, and at least one smart refrigerator, was caught sending millions
of spam emails. And if a botnet like Mirai suddenly floods
a company like Dyn with traffic, it can take down web services in a distributed denial-of-service
attack. It’s like if your telephone was forced into
a pool of a thousand auto-dialers constantly calling a pharmacy: real calls can’t get
through, and there are so many involuntary fake calls that the company can’t block
them all. Now, these issues aren’t unique to the Internet
of Things. But IoT devices are extra vulnerable. Manufacturers bring them to market as quickly
and cheaply as possible. All too often, the place they cut corners—you
guessed it—security. Many companies grab off-the-shelf software
and don’t customize it for each device. For instance, smart light bulbs don’t need
printing software, but manufacturers might not bother to delete it from the stock operating
system. So if the chunk of code that accepts files
for printing mistakenly allows a hacker to inject their own program, you’re in trouble. And these things rarely update automatically;
nobody wants to flip the light switch and hear, “Please wait until your lights finish
updating.” So even if a security bug is fixed, those
app-controlled bulbs may never hear about it. Plus, any operating system is only as secure
as the password you need to log in and make changes. And manufacturers of IoT devices often set
passwords to dumb, predictable defaults like “admin1234”… and who changes the password
on their smart egg tray, anyways? To make matters worse, the hardware might
have too little memory and processing power to run standard defenses like firewalls, which
try to block unwelcome intrusions from the internet. And how would you even know that your smart
weight-loss fork is infected with a virus when its only way of communicating is buzzing? Finally, the sheer scale of the Internet of
Things intensifies the problem. Mirai grew way bigger than most botnets simply
because there were so many vulnerable IoT devices. So…this can all sound pretty terrifying. But the truth is that for now, the main threat
to an average user is garden-variety data theft. Most of the fancier attacks are too difficult
and their payoffs are too low for crooks to bother. After all, if your enemies are so committed
that they’ll track down your glucose monitor and hack it, you probably have other things
to worry about beyond IoT security. But it may not be long before a hacker can
lock your smart thermostat at its max while you’re on vacation, running up your energy
bill until you pay a ransom. If manufacturers don’t start baking security
into the design of their products, experts worry that we’re heading for a trainwreck. They suggest a couple of solutions, including
being selective with what data to record, and encrypting whatever data is sent around. They also recommend that manufacturers set
a unique default password for each device and only accept commands from someone who’s
logged in. Automatically monitoring for suspicious activity
would help, too. There are also a few steps you can take to
protect yourself from your devices: You can manually check the manufacturer’s
website for updates and change any passwords that the software allows you to. Don’t put webcams anywhere you wouldn’t
broadcast. Isolate smart devices on separate wi-fi networks
from your computers and phones. You can do that with a second router, or on
some routers you can just set up a second untrusted “guest network.” And, y’know, consider whether you really
need that hairbrush to connect to the internet. Ultimately, though, it’s going to take pressure
from all of us. Manufacturers need to hear that we don’t
just want cool features, but guarantees that they’ll keep us safe. Thanks for watching this episode of SciShow,
which is produced by Complexly, a group of people who believe the more we understand
about the world we live in, the better we get at being humans. If you want to learn more about this stuff,
check out the Crash Course computer science series at youtube.com/crashcourse. [♪OUTRO]

71 Replies to “How Worried Should You Be About Smart Home Security?”

  1. I love how each time she mentions a new smart device she makes it more and more absurd lol. “Smart weight loss fork”

  2. So what happens when the manufacturer stops updating? Does nobody remember the WannaCry attacks? Windows 7 was only 8 years old no longer being updated at the time despite having as good functionality as windows 10. Most "dumb" appliances last far longer than that. Their argument was that we shouldn't be using older generations' tools. So the only way to keep "smart" appliances updated is to constantly be buying new ones. What a waste.

  3. This is why we should limit these kinds of technologies. Not everything has to be automated nor connected to the Internet, naturally things such as plates or couches don't have to be connected to the Internet; it's impractical. So many things would rely on the Internet or electricity to properly function, along with the possible risks of security being compromised said in the video.

  4. Simple back network with IDS/IPS solves this, not that I have ANY IoT devices. I don’t, but I have the back network with etc.

  5. The much better solution here is to have extensible network management. Imagine what we'll call a "dumb" IoT device not capable of updating itself has a protocol defined of which its authentication is found to be insecure. Currently routers are usually some part modem, some part switch, some part router and some part firewall. Then there is also network isolation on the wifi side that might or might not be well integrated with the firewall. Then there is upnp port forwarding that might or might not be well integrated with the firewall and may or may not have any form of authentication. Some routers have hardware based vlans (segmenting of network ports) but many don't.

    Now taking my example I could simply put my IoT device on its very own isolated network that network firewalls everything except the devices specific protocol, rate limits its outbound traffic and then masks or blocks the vulnerabilities in its authentication protocol. Using a form of vlan or VPN or tunnel service it might also be possible to just replace its authentication entirely using a router as an authentication broker. Most of these features are only available on extremely high end hardware and at that are both proprietary and hard to configure. But there's no reason 90% of what I just mentioned couldn't be fully automated. Then the only software that needs updating are your physical fabric (managed switches) and routers. Technically your gateway should already be updated by your ISP but YA KNOW.

  6. This is sooooo creepy. At around 4:30 she talks about hackers setting your thermostat to its max. JUST the other day I came home from work to my thermostat set to its max temp. It was literally 92 degrees inside when I got home.
    My physical thermostat is locked at the screen (and it was still locked when I got home, and no one was home anyways). I only set it from my phone which is rare itself because it's on an auto routine.
    The routine was unchanged (71 daytime and 69 at night when I go to bed). And I hadn't opened the app that day at all.
    I have no explanation and it hasn't happened since.

  7. The total lack of security in IOT devices has been apparent since day one and I won't allow them in the house.
    One of my favourite ones in the UK are the apps that detect how close you are to home and regulates your heating, of course if that gets hacked it lets burglars know how far away from the house all the occupants are!

  8. As the video goes on the examples of "smart" devices get more and more ridiculous and I love it "smart weightloss fork".

  9. I know of a working solution: Don't use IoT devices unless you actually need them. I simply don't understand people who want to connect a light bulb, a fridge, a door lock or anything else that shouldn't even have radio to the internet. Not to mention home security. If you want home security, call a company specialized in home security systems and let them build it for you. It'll work as it should, do only what it's supposed to, gets maintained and updated as needed, trusted people monitor what's happening and act immediately if something suspicious is going on, and the company takes responsibility if anything goes wrong. That's real electronic security. You "setting up" an IoT device that can be hacked by any script kiddie from anywhere on the world is you inviting criminals in.
    Security's not cheap and it never will be for obvious reasons. The more you want to protect, the more you have to pay for it.

  10. This is in part what you get when you don't want to get up off your arse and would rather just trust Siri or Alexa to do all that work for you. Now don't go on a clog comments with a lotta angst against me. Of course I'm not talking about people who do need to have some parts of their households set up like this. In that case I feel angry as…….. But c'on peoples if you still have full use of your body get up off your toosh and turn the light off or turn that toaster on. Get Some Kinda exercise. Cause Siri and Alexa can't miraculously get rid of those love-handles growing on you ☮️🐾

  11. Vendors are the main flaw to IOT security. Most of them have no idea of the basics when it comes to security and the rest just don't care. Hense why we're in such a big lovely mess… Plus some IOT devices come with hard coded passwords and backdoors which cannot be changed.

  12. You should stop the lighting from overhead, cry-tear-shadows from your glasses arms.
    I did like the video though.

  13. I wish the norm was to have a sturdy pc in the house from which you could control everything, so all that internet traffic from IoT devices goes through a more competent and therefore secure device you don't have to worry about as much.

  14. Wish I saw this before forwarding my raspberry pi's ssh port on my home router without changing the password, then got a letter from my ISP telling me to stop hacking American universities

  15. IoT is just an obvious example of the culture of ALL software dev and silicon valley tech. Security is an annoyance or afterthought, and no silicon valley naif ever considers the unintended or malicious possibilities of the tech they make. This problem is deep, and infects literally the entire culture, from the excited new coder who's too focused on his plans to consider the downsides, to the tenured professor rendered speechless by ethics 101 level questions about the potential for abuse of the facial recognition software he's pioneering. It doesn't help that when you confront techbros with the widespead and catastrophic consequences of their blindness, they instantly get defensive and say 'Im just an engineer'.

    Until tech is willing to admit that they are responsible, and become willing to devote the resources to security and accountability, this problem will only get worse.

    tl:dr – you should be worried enough about smart home security to throw away any smart/IoT device you were unwise enough to have already bought, and not buy another one until silicon valley culture no longer exists.

    Also delete facebook, go thru your phone app permissions and turn 95% of the 'features' off, delete anything you have on the cloud, install multiple layers of script, ad, and tracker blockers in your browser, and for gods sake, stop letting google record every single thing you search and do.

    I recently read a headline about a casino having its sensitive databases hacked through a smart thermostat in a fishtank in the lobby, or some such. What do you think they could do to all of YOUR data, with access to your smart tv, your alexa, your amazon door locks….

  16. The idea of isolating different parts of even the same machine has been posed. There is a mathematical proof that some programs can't be used maliciously, but those are generally useless.

  17. I couldn't figure out whether the title meant "smart" home security or "smart home" security til I watched the video.

  18. Forgot the manufacturer, but there was a car(!) which you could open with an app. To authenticate, you had to send it an ID code. It was plenty long enough, though it was sent unencrypted, so someone nearby could intercept it.
    But here's the best part: If you sent an invalid one, it would send back a message that it was invalid, together with the correct one…

    IoT security is a difficult field, but we have found solutions for a great many things. You CAN make secure IoT devices. I make most of my own IoT devices myself and good luck to you getting in. Most of them can't even connect to the internet and are confined to the local network.
    (That's another thing I really dislike about IoT devices you can pick up at a store – they all connect to 'the cloud'. And if the company producing them goes bankrupt? Well, the cloud disappears and you have a useless device. Congrats.)

  19. "Internet of Things is short for Internet of Things that shouldn't be on the Internet." —Robert Miles, probably

  20. how badly does the government want to kill you that is the question before getting a house like this

    thank you for this awesomely ha bisky vid and i am against this type of technology like car and houses

    i am lucky i had a sweetheart hacker that loved to hack into my laptop but i had some great passwords he coudnt guess because i can type backwards fast

  21. I surprised that no one ever raises the issue of how much control over our lives we are relinquishing to the corporations who manufacture and administer IoT devices. Let the brainwashing begin…

  22. SMART is AGENDA 21. Health problems from wireless. It’s like living with a Tower in your home! Take the crap out for the safety of your health

  23. I have a solution: use appliances and in-home electronics that don't require internet connections. You know. Like, every known device manufactured over the past 100 years.

Leave a Reply

Your email address will not be published. Required fields are marked *