This past April, a Kansas mother was setting her son down in a crib when she noticed the camera-equipped baby monitor in the room was tracking her movements.
“I stood back up, and the monitor went up and over," she told KWCH 12. “I kind of moved back here, and it followed me again. Then I went into our bedroom where the handheld device is to make sure it wasn’t malfunctioning or something, and it followed me out of the room.”
Terrified, the woman yelled “quit watching me” into the camera before running upstairs to inform her husband. “I didn't know what to do,” she said. “I was just so scared and so shocked that this is actually happening to me.”
As this family learned the hard way, even the most innocent-seeming devices are susceptible to hackers. “Anything with an operating system and an internet connection has the capability to be hacked,” says Kevin Haley, director of product management at Symantec Security Response.
These days, that includes a lot of things. Not just computers and smartphones, but thermostats, TVs, security cameras and home automation systems. This is what's meant by the trendy term the Internet of Things, or IoT — your appliances are going online.
“While some of these have only been hacked as proof-of-concept attacks by security researchers,” Haley says, “other devices have been hacked by those with malicious intent.”
What can hackers do to these devices?
Quite a bit. If a malicious hacker can gain access to a webcam or security camera, they can literally watch your every move, as happened to the Kansas family. In other, more serious cases, hackers have used this access for so-called sextortion, where they blackmail users over private photos taken via hacked bedroom webcams.
Gaining access to a security camera can also allow a burglar to take it out of commission, leaving you vulnerable to somebody physically attempting to gain entry to your home.
“IoT is the new Wild West: No standards, no rules, no sheriff in town, and lots of get-rich-quick opportunities,” says Neal O’Farrell, a consumer security advocate and the in-house credit and ID theft expert for Credit Sesame.
Currently, threats to IoT devices such as connected thermostats are generally limited to tricksters messing with your A.C. But they will inevitably be used for more devious schemes and scams.
“We believe it’s only a matter of time before ransomware surfaces on these devices,” Haley says, referring to the aggressive type of malware that holds your device hostage until you pay the attacker to give control back to you.
The biggest vulnerability in your online world is almost certainly your wifi router. These devices are relatively easy for hackers to access, and doing so gives them immense power of your home network— including the ability to redirect all your web traffic. They can even use your network to engage in illegal internet activity, which means your network’s identifying marks could be associated with the crimes.
“Hackers do the one thing most homeowner’s don’t: Read the manuals,” O’Farrell says. “Hackers know how the devices work, and how to get the best out of them. That kind of knowledge and control is downright scary.”
What's my best line of defense?
1. For the love of god, change your default password.
If you haven’t bothered to change your device's factory-set password, you’re not alone. But you are vulnerable.
The problem: Many manufacturers use the same default password for all of their products — and these passwords are easily found online — making the hacker's job as simple as signing on. This is a particular problem when it comes to routers (but you really should change the password for any connected device).
“When setting up wifi, you’ll also want to use a strong encryption technique, such as WPA2,” Haley advises.
And, please, do not write your password on a stickie note and plaster it to your fridge.
2. Make your passwords harder to hack.
If you're still using “password” or “qwerty” as your password, you sorta deserve to get hacked. But even your more creative efforts probably aren't enough. Hackers have created sophisticated software that use dictionaries of commonly used passwords and algorithmically combine them with numbers and symbols (and maybe even your personal data, if they're targeting you specifically). Your daughter's name plus your birth year? Sorry, but "Sarah1984” is not acceptable.
Instead, you should be using so-called “strong passwords,” which deflect or delay automatic attacks by being random and/or excessively complex. Your objection, of course, is that you'll never remember “Sarah_hA8*&_kIo14@.” But plenty of online tutorials, like this one, will teach you how to make passwords that are difficult to crack yet easy to remember. Or follow this comic's advice:
3. Give your security questions some thought.
With so many websites, networks and other online services playing central roles in our daily lives, forgetting one's password is practically a national pastime. And how do we recover our passwords? Via email or by answering security questions.
The problem is, most security questions are based on mundane personal details. Your mother's maiden name? Easily found via a public record search. Your birthday? You've probably already broadcast it on Facebook. The last four of your social? SSN databases are widely available on the criminal black market.
We suggest lying. Love Nirvana? Your mother's maiden name is now Cobain. Your first pet? Big Bird. Your birthday? July 4, 1776. And so forth. Just don’t use “I don’t know” or “I don’t have one.”
And for pete's sake, turn on two-factor authentication if your service providers offer it.
4. Always update your software.
The first version of every software release is buggy. That's a fact of life. We know that constantly updating your software (curse you, Apple TV) is a real bummer, but it must be done to maximize your security.
For your big devices (laptops, phones), turn on Automatic Updates. Or, hit “Update” before you go to bed, and let the magic happen in the background. For connected devices, sign up for manufacturer’s emails. It's not often publicized, but many software updates are made specifically to fix security holes.
They are absolutely necessary to winning the arm’s race against hackers — even if it means getting on the phone with tech support.
5. Go old school — disconnect.
As far as webcams and baby monitors are concerned, older versions without wifi connections are your safest bet. You may not be able to check on your little one from afar, or on your iPhone, but that means no one else can, either. The same goes for your thermostat, doorbell, refrigerator and every other appliance that's connected to the internet.
If that's out of the question, for whatever reason, O'Farrell recommends placing tape over any webcams or surveillance cameras when they're not being used. Better yet, unplug them altogether. He also advises caution with any devices that use voice-activation. In February, Samsung came under fire for their latest "Smart TV," enabled to collect “personal or other sensitive information...captured and transmitted to a third party through your use of Voice Recognition.”
It's not just TVs. Anything with a microphone is theoretically vulnerable. As Haley says, “You don’t know how often they are listening and what they are recording.”