Popular connected home entertainment devices pose a real cyber security threat due to vulnerabilities in their software, and a lack of elementary security measures such as strong default administrator passwords and encryption of Internet connection.
Kaspersky Lab security analyst David Jacoby conducted a research experiment in his own living room to find out how safe his home is in terms of cyber security. He inspected home entertainment devices such as network-attached storages (NAS), Smart TVs, router, Blu-ray player, etc. to find out if they are vulnerable to cyber-attacks. And it turned out they are.
The two NAS models examined were from different vendors, one Smart TV, a satellite receiver, and a connected printer. As a result of his research David Jacoby managed to find 14 vulnerabilities in the network attached storages, one vulnerability in the Smart TV and several potentially hidden remote control functions in the router.
In line with its responsible disclosure policy, Kaspersky Lab does not disclose the names of the vendors whose products were subject to research until a security patch closing the vulnerabilities is released. All vendors were informed about the existence of the vulnerabilities. Kaspersky Lab specialists work closely with vendors to eliminate any vulnerabilities they discover.
“Individuals and also companies need to understand the security risks around connected devices. We also need to keep in mind that our information is not secure just because we have a strong password, and that there are a lot of things that we cannot control. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device which looks like a safe one and even alludes to security in its own name. How would similar research end if it was conducted on a much wider scale than just my living room? This is just one of many questions that needs to be addressed by device vendors, security community and users of such devices collaboratively in the nearest future. The other important question is the lifecycle of devices. As I’ve learned from conversations with vendors, some of them will not develop a security fix for a vulnerable device when its lifecycle is over. Usually, this lifecycle lasts for one or two years, while the real life of devices – NASs for instance – is much longer”, said David Jacoby, the author of the research.
How to stay safe in the world of connected devices
Make the hacker’s life harder: all your devices should be updated with all the latest security and firmware updates. This will minimize the risk of exploiting known vulnerabilities.
Make sure that the default username and password is changed – this is the first thing an attacker will try when attempting to compromise your device.
Most of the home routers and switches have the option of setting up your own network for each device, and also restrict access to the device – with the help of several different DMZs (a separate network segment for systems with a greater risk of compromise) / VLANs (a mechanism for achieving logical separation between different logical networks on the same physical network). For example if you have a TV, you might want to restrict access to that TV and only allow it to access a particular resource within your network. There isn’t much reason for your printer to be connected to your TV.