Meet the Good Guys Trying to Hack Your Smart Home
You noticed the car earlier but didn’t think much of it. It rolled slowly up the street before circling back through the neighborhood, driven by what looked like teenagers. They were probably just looking for a friend’s house, you thought—but then the lights in your hallway go out, your TV won’t turn on, and your security alarm starts to blare. Beneath the din, you can hear your neighbor’s alarm now ringing, and the house across the street joins in, too.
In the age of smart homes, this could be the future of pranking, warns Rob Ragan, senior security associate at Bishop Fox. A total stranger can now, rather than just ringing the doorbell and running, jam your security alarm, turn of your interior lights, and even permanently disable the electronic systems in your house, all without crossing the property line. Ragan emphasized that home security no longer starts at the curb; it now extends deep into the cloud, as the devices and systems in your home can be accessed from anywhere in the world.
In fact, drive-by teens looking for lulz are, in some ways, the least of your concerns. The connected home, with its smart appliances and Internet of Things (IoT) functionality, has become a target-rich environment, vulnerable to anyone with a signal-jamming device or radio manipulator. Anything you currently access via wi-fi, Bluetooth, radio frequency identification (RFID), or near field communication (NFC) is exposed, whether it’s your snazzy new digital door lock, your Apple keyboard, or your wireless nanny cam. Indeed, as security researchers, such as Kashmir Hill, have shown, hackers can easily bypass the weak security measures on typical home baby monitors and not only watch and listen to your children but even talk to them, while you’re not in the room.
To counter these and other threats, a rapidly growing private-security market, dedicated to protecting smart-home consumers from exactly these sorts of attacks, has emerged. Synack is one such company; CEO Jay Kaplan’s background as an NSA security analyst is just one indication of how serious some of these threats can be (and how lucrative the field is set to become). Colby Moore, one of Synack’s lead security research engineers, explains that "a lot of these devices are being made by people without security backgrounds, or they’re simply being pushed out the door so quickly that they don’t have a well-established security audit in place." Not only are such devices ripe for attack, they are also, in many ways, totally unstudied. Indeed, Moore adds, "With a lot of the newest products on the market, you just don’t know what you’re getting."
In early 2015, Moore and his team at Synack released a white paper detailing a slew of eye-popping security vulnerabilities that they had found in networked home devices, ranging from thermostats and surveillance cameras to smoke detectors. Moore cautioned that the range of potential targets has continued to expand and that the possibility for exploitation now extends even to our wearable devices. Smartwatches equipped with cameras and microphones—not to mention, easily trackable by GPS—can be used, for example, to spy on a homeowner’s daily routine and to check if they are home before executing a burglary.
For Jay Kaplan, however, the story is much bigger than just the future of home burglary; he sees smart appliances as the newest front in corporate spying. After all, if your CEO owns a vulnerable, easily hacked wireless nanny cam, then industrial espionage has found a whole new, deeply troubling arena. Literally billions of dollars could be at stake, due to just one unprotected conversation. Now substitute "diplomat," "senator," or "military leader" for "CEO," and you can see how Kaplan’s background at the NSA inspired this concern about home security. Are you sure you know who’s listening?