Check Point IoT Blog Series: ‘Home, Smart Home’ – But How Secure Is It?

The smart home is often idealized as a domestic paradise — with a kitchen and fridge that can order groceries for you, robot vacuum cleaners, lights and heating you can control from your phone, and web-enabled entertainment in every room. Beneath the surface of this always-on, seamlessly connected image, however, lie significant concerns about privacy and cybersecurity.

These concerns were dramatized in the Season 2 premiere of the cyber-drama ‘Mr. Robot’, which showed a character’s smart home getting hacked: the TV and stereo are switched on and off randomly; the water temperature in the shower goes from boiling to freezing, and the air conditioning is switched to Arctic temperatures, forcing the character to leave. So was this scenario a case of art imitating life? Just how close to reality was it?

Too close to comfort, in fact. Back in 2013, reporters at Forbes described how they were able to get remote control of a smart home, enabling them to manipulate lights and water services. University of Michigan researchers revealed flaws in Samsung’s SmartThings platform that let them set off smoke alarms and unlock doors. Check Point’s research team found vulnerabilities in a streaming TV device that would allow hackers to access it, and then get control of any other home network the device was connected to.

And just recently, Check Point discovered a vulnerability in the LG Smart ThinQ platform that may have allowed hackers to gain control over various home appliances ranging from ovens & refrigerators to a home bot cleaner. See for yourself.

Security First, Not an Afterthought

In many cases, smart home devices and platforms are designed primarily for easy connectivity and convenience, with security coming as an afterthought.

Generally speaking, many of the devices usually have limited processor and memory capacity, which makes securing them difficult. And once a vulnerability gets discovered, any patch that gets issued will probably not be pushed automatically to the device… leaving it open for exploitation.

But even when the device has security features built in, it’s often the user’s responsibility to implement said features. Whether that involves setting up data encryption, changing the passwords, or downloading the latest firmware version, it’s well-established that most users don’t take cyber hygiene seriously enough: a recent survey found that more than 50% of companies using smart devices do not change the default password after purchasing.

One of the newest challenges is  the adoption of ‘digital butler’ devices which can answer questions, help with managing users’ personal diaries and tasks, and control other smart devices in their homes. As the ‘brain’ that controls the smart home, storing important details about their owners, including appointments and financial data, they also become an attractive target for cyber criminals.

These digital butlers, and many other types of IoT devices, have microphones that are always on, listening for the users’ voices. What happens if criminals figure out how to tap in and eavesdrop on what users are doing in their homes? If there’s one thing that we’ve learned in over 20 years in the cyber security sector, it’s this: whenever a new computing device is launched, someone, somewhere, will figure out how to hack into it.

So when it comes to cyber security, the outlook for the smart home is fairly bleak.

Outsmarting your smart homes

The good news is that there are practical measures that you can (and should) take to better secure the smart devices and networks in your home against hacking and digital intrusion attempts.

Here are our five tips:

  1. Secure your wireless network
  • Make sure that your wireless network is protected by Wi-Fi protected access II (WPA2) and that you use a strong, complex password.
  • Give the network a unique name. Don’t make it obvious with your first or last name, or don’t use your phone number as your username or password either – that could be very easy to figure out and hack into.
  • Restrict the devices that can access your network, and never make it public.
  1. Create two separate Wi-Fi networks
  • Use one network for computers, tablets and smartphones which should be used for secure online banking and shopping. The second network should be used for smart devices. Separating these two will better protect your data.
  1. Keep your passwords strong
  • Make sure that the first thing you do when buying a smart home device is to immediately change the default password that it’s supplied with.
  • Change each password to be much more complex, and ensure it’s different than other passwords you’ve used.
  • Changing the username of devices is also recommended.
  1. Use a firewall to secure your home network
  • A firewall allows you to control and restrict incoming connections.
  • Smart devices include details about ports, network protocols and the IP address. Enabling a personal firewall will block unwanted traffic to specific ports, keeping you safer.
  1. Implement Firmware & Software updates
  • Check the manufacturer’s website if there is any firmware or software updates available. If so, apply them. Having an up-to-date software or firmware version will reduce the likelihood of an attack which is based on an old exploit.

The post Check Point IoT Blog Series: ‘Home, Smart Home’ – But How Secure Is It? appeared first on Check Point Blog.



from Check Point Blog http://ift.tt/2hqMntc

Comments

Post a Comment

Popular posts from this blog

AR18-312A: JexBoss – JBoss Verify and EXploitation Tool

Image
Original release date: November 08, 2018 Summary JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal. This report provides a detailed analysis of JexBoss’ functionality, along with detection, response, prevention, and mitigation recommendations. Description JexBoss JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programming language using standard Python libraries. JexBoss is run from the command-line inter
Keep reading

SB18-141: Vulnerability Summary for the Week of May 14, 2018

Original release date: May 21, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity
Keep reading

SB18-029: Vulnerability Summary for the Week of January 22, 2018

Original release date: January 29, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Learn Python Programming – 7 Courses Video Training Bundle

Image
It's no secret that learning how to code is one of the most important things you can do when it comes to the beginning or furthering practically any career in programming and technology. The only problem a beginner often faces is that there are seemingly countless programming languages to choose from, which makes it exceedingly difficult for aspiring or even seasoned programmers to know which from The Hacker News http://bit.ly/2Ug9eJ8
Keep reading

SB18-043: Vulnerability Summary for the Week of February 5, 2018

Original release date: February 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-057: Vulnerability Summary for the Week of February 19, 2018

Original release date: February 26, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-008: Vulnerability Summary for the Week of January 1, 2018

Original release date: January 08, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Vulnerability Summary for the Week of October 19, 2020

Original release date: October 26, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info acronis -- cyber_backup Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges. 2020-10-21 7.2 CVE-2020-10138 MIS
Keep reading

Vulnerability Summary for the Week of March 2, 2020

Original release date: March 9, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info apple -- multiple_products   A denial of service issue was addressed with improved input validation. 2020-02-28 7.8 CVE-2019-8741 MISC MISC MISC MISC MISC MISC MISC centreon -- centreon   An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter. 2020-03-05 7.5 CVE-2019-17647 CONFIRM CONFIRM CONFIRM MISC CONFIRM CONFIRM centreon -- centreon   Centreon 19.10 allows remote authenticated users to ex
Keep reading

SB18-071: Vulnerability Summary for the Week of March 5, 2018

Original release date: March 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severit
Keep reading