(Andrew Nye/For The Washington Post)

Buggy software in off-brand smart home devices is a hacker’s playground

Software in connected devices has little oversight. As more objects come online, that problem will snowball.

Chet Wisniewski walked into a Fry’s Electronics store in Las Vegas and wandered through the aisles, grabbing a handful of smart lightbulbs and other connected devices as he went.

A principal research scientist at the security firm Sophos, Wisniewski wanted to know whether the average off-the-shelf device had major security vulnerabilities. He wasn’t skilled at hacking into physical devices — what insiders call “firmware hacking” — so he figured the project, which he undertook in 2015, would be a fun way to practice, even if he struggled to break in.

A few days later, he had a whole collection of hacked smart devices.

“I didn’t even need to do any firmware hacking. It was easier than that,” he said. “Things I thought would take me a week took, like, an hour.”

That’s because the software Wisniewski found inside was shoddier than he expected, he said. Rather than up-to-date programs with security problems patched up, the devices were filled with bundles of code haphazardly pulled from the Internet. Some of the code came from projects that programmers had stopped updating, so software bugs festered and hackers could easily exploit them.

Six years later, things aren’t much better, but our adoption of connected home products has exploded. More than 77 percent of households with a WiFi network reported owning at least one smart home device in 2021, compared with 65 percent just one year earlier, according to research firm IDC. But off-brand smart home devices could be riddled with vulnerable software, and shoppers have no way of knowing. Once inside your house, those products are left exposed to criminals. Smart home devices from name brands like Apple, Amazon and Google, meanwhile, come with well-documented privacy concerns — do people really want audio from their homes handed off to giant tech companies with sprawling ad businesses? Shoppers are stuck in the middle, making tough decisions between privacy and security.

How Big Tech monopoly made smart speakers dumber

Smart home software risks hide in plain sight

Head to a home goods store to pick out a smart lightbulb and you may be confronted with a choice like this, Wisniewski said: a pack of Philips Hue bulbs for $97, or a knockoff pack for $18. If you’re buying based on image or perceived quality, you’ll probably go for the name brand. If you’re buying for price, you’ll reach for the knockoff.

But there’s another element at play here: Software security. Big-name smart device makers have reputations to maintain and a vested interest in securing smart appliances even after they leave the shelves. When a security firm found a bug in Amazon’s voice assistant Alexa that could have allowed hackers to access voice recordings from people’s homes, Amazon swiftly fixed the problem.

Smaller brands, however, are a toss-up, according to Wisniewski. If the code is up to date when you buy the product, it might not be for long, as many devices don’t come with the ability to accept software upgrades remotely. Beyond that, plenty of products are “white label,” or slapped with one-off brands difficult to trace back to a manufacturer, he said.

The impact of a hacked smart home device could be too small to notice. Does anyone really care if a hacker flips off a lightbulb or changes the temperature on a tea kettle?

But real problems arise when hackers use smart devices in some sort of joint effort. Earlier this year, Internet service providers and financial institutions across the world got hit with barrages of fake Web traffic from a single malicious network of hundreds of thousands of compromised smart devices. In these “botnet” attacks, hackers use connected devices to overwhelm a company’s IT infrastructure.

“To recruit every single lamppost in a smart city into a botnet would be quite a coup,” said Rik Ferguson, vice president of security research at the cybersecurity company Trend Micro.

Even if they don’t conscript a lamppost army, hackers can also use smart home devices to connect with other electronics in your house or surveil your network, Ferguson said. He imagined a scenario in which a hacker uses your smart lightbulb to connect to your smart speakers and play an audio file that says, “Alexa, unlock the front door.”

Smart home devices have a long rap sheet, said Chris Rouland, chief executive of connected-device security company Phosphorus Cybersecurity. Your crockpot could be viewing illicit pornography. Your DVR could take down Twitter. And, thanks to a flood of shoddy smart home devices, hackers are making money at your expense, Rouland said.

FBI email system compromised by hackers who sent fake cyberattack alert

Unfortunately, this is going to get worse

It’s a problem that companies don’t communicate clearly with shoppers about how secure the software is inside their connected devices, experts say. And as more objects in our homes come online, that problem gets more urgent.

In their “Project 2030” report, a series of forecasts about life in 2030 and the cybersecurity challenges that come with it, Trend Micro’s Ferguson and Victoria Baines, a research fellow and cyber futurist at the University of Oxford, predict the emergence of a “massive Internet of things.” Billions more connected targets for hackers will open new avenues of cybercrime, they say.

Baines and Ferguson imagine criminals hacking the smart home devices of the future, which will extend beyond our brick-and-mortar homes into our bodily ones. 3-D printers that assemble our food and implants that help our brains interface with computers could one day be among the gadgets we must protect from cybercriminals.

“The smart home devices of a few years’ time won’t just be machines that help you control your lighting and your TV and all of that,” Baines said. “It will be about your physical and personal safety and health.”

Elon Musk wants YOU to build a brain-computer interface

Drawing boundaries falls to shoppers

President Biden issued an executive order in May directing both companies and the government to step up their cybersecurity efforts. In response, the National Institute of Standards and Technology (NIST) drafted some criteria for a consumer software labeling program — like the nutrition labels you see on food, but for software.

NIST doesn’t have the authority to actually make rules for labeling, though, and indicated that any labels based on its criteria would be voluntary, meaning companies wouldn’t have to use them.

An NIST spokesman did not immediately respond to a request for further information on what the criteria could mean for consumers.

“The United States government is not going to protect anybody from a cyber attack. You’re on your own,” said Phosphorus Cybersecurity’s Rouland, whose company helps secure connected devices for large organizations, including the federal government. “They can’t even protect themselves.”

Some legislation has made a dent in connected-device security problems, Rouland said. California passed a bill in 2018 forbidding connected-device manufacturers from shipping products without unique passwords or a clear way to set one up. Congress passed a law in 2020 creating standards for any connected device that the federal government uses. Many U.S. manufacturers changed their ways, Rouland said, while companies outside the United States largely ignored the standards.

Ultimately, consumer choice is the only way to rein in vulnerable devices, he said. As long as people continue buying cheap smart home appliances, they’ll remain on the market. And unless something horrible happens, like a botnet taking down the Internet itself, most people are unlikely to care, he said.

Advice for shoppers

With little guidance from governments and manufacturers, shoppers must fend for ourselves. And how we select smart home devices depends on what we value.

If security is your top priority, name-brand devices are the way to go, experts say. Apple, for instance, requires that manufacturers adopt special security measures before it allows them to market their connected gadgets as compatible with HomeKit, Apple’s software that lets smart appliances communicate with Apple devices.

If you’d rather sidestep the privacy issues with Big Tech slinging Internet-connected gadgets for your home, keep an eye out for devices from smaller brands that work without connecting to the Internet, Wisniewski advised. He connects his smart light switches directly to his home network with a tiny plug-in box, he said. He can’t control the light switches from outside his home — but he also doesn’t need to, he added.

That’s beyond the technical know-how of most people, Rouland said.

If you really want to communicate with a smart device, you should just accept that your information is being sent to the cloud. Change every default password, enable automatic software updates and settle in, he advised.

Any choice between privacy and security isn’t a good one. But Baines said it’s important to remember that we aren’t “captive idiots” in the ongoing battle between security professionals and criminals — or privacy advocates and big companies. We can take the extra time to learn about what we’re putting in our homes, she said, or simply say no.

“If you’re uncomfortable with it, the best advice I can give anyone is not to do it,” Ferguson said.

Alexa has been eavesdropping on you this whole time

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Go deeper: Tech in Your Life | Tech at Work | Your Data and Privacy | Internet Access | What’s New | Ethical Issues

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.