Thousands of Smart Homes and Businesses Worldwide Could Be Wide Open to Hackers: Avast Report
If you think you are safe and sound in your futuristic smart home, think again. According to a research done by cybersecurity company Avast, 32,000 smart homes and businesses are at risk of leaking data. In a threat research paper, ‘Are smart homes vulnerable to hacking?’, Avast expert Martin Hron explains that because of technical weaknesses in something called the Message Queuing Telemetry Transport (MQTT) protocol, smart devices might be giving away the means of getting into our homes.
The MQTT protocol is used to interconnect and control smart home devices such as smart boxes, light bulbs, shades, thermostats, voice assistants, and smart machines. To implement it, users set up a server, which usually resides in a PC or a mini computer, which in turn connects with devices. The research says while the MQTT protocol itself is secure, if misconfigured, it can pose serious security threats.
Avast, found more than 49,000 MQTT servers publicly visible on the internet due to a misconfigured MQTT protocol, including over 32,000 servers with no password protection.
“If the MQTT protocol is not properly configured, cybercriminals can gain complete access to a home and for example, learn when their owners are at home, manipulate entertainment systems, voice assistants, household devices, and physically open smart doors,” the report says.
The research points out that the reasons for such security lapses lies in the fact that the devices are built using technology protocols that date back to the 1980s and a lack of focus on security when setting up IoT devices.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” said Hron. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
While the affected countries pointed out by Hron are China, US, Germany, Republic of Korea, and Hong Kong, India could have 595 homes facing the same threat.
According to the report, once IoT systems are hacked, perpetrators can read messages transmitted using the MQTT protocol, which means they can read the status of smart window and door sensors, see when lights are switched on and off, control connected devices, or even poison data using the MQTT protocol on behalf of devices. The report quoted a creepy example of an attacker sending messages to a smart hub to open the garage door.
Calling the convenience of IoT devices and smart home hubs connected to the internet a “double-edged sword”, Avast says that to secure users’ entire smart home ecosystem, manufacturers have to create IoT devices that are simple to set up but with higher levels of security.