Science·Q&A

Smart home devices used in cyberattack on tech writer's site

From smart thermostats to smart door locks, the so-called internet of things promises convenience. But security researchers warn that smart devices could also be used as cyberweapons, as illustrated recently in a high-profile cyberattack.

As home devices become more connected, experts warn the 'internet of things' could become a cyberweapon

Dan Misener · for CBC News · Posted: Sep 27, 2016 1:31 PM EDT | Last Updated: September 27, 2016

As more of our home devices become internet connected, like this smart lock, experts warn we'll see more cyberattacks using the devices. (Maurizio Pesce/Flickr)

From smart thermostats to smart door locks, the so-called "internet of things" — the increasing range of internet-connected devices in our homes — promises convenience. But security researchers warn that "smart" devices could also be used as cyberweapons.

That was illustrated recently when an army of hacked consumer electronics was used in a high-profile cyberattack. CBC Radio technology columnist Dan Misener explains why it's worrying in the age of the internet of things.

What was the latest cyberattack?

Technology writer Brian Krebs was the victim of a botnet attack on Sept. 20, which involved internet-connected smart home devices. (Kristof Clerix/krebsonsecurity.com)

To understand this story, you need to know a bit about Brian Krebs. He's a well-known writer and investigative journalist, and a former Washington Post reporter. On Sept. 20, his website was knocked offline by a particular kind of cyberattack known as a "denial-of-service" attack.

Basically, hackers tried to overwhelm his website with a huge amount of traffic, to the point that it would be taken offline. They succeeded, and his website was down for much of last week.

Denial-of-service attacks are quite common — they happen every day.

But the attack on Krebs has drawn attention because it seems to have been carried out, in part, by a botnet — a group of internet-connected devices taken over without their owners' knowledge, and used in an attack. In this case, the botnet was made up of hacked internet of things devices — the same kinds of devices that many Canadians already have in their homes.

A lot has already been said about the the hackability of smart home devices.

But now, it seems that armies of hacked devices are being used as cyberweapons.

What kinds of devices were used in the attack?

Krebs wrote that his site was attacked by a botnet made up of hacked routers, internet-connected cameras, and DVRs — digital video recorders with internet access.

What's worrisome here is how many devices could potentially be used in an attack like this. Over the past few years, we've seen a growing number of consumer electronics become internet-connected — everything from thermostats to vacuum cleaners to fitness trackers.

And along with that comes the potential for someone to gain remote control and use that device for their own purposes — like a denial-of-service attack.

How do I know if my device has been compromised?

Security researcher Ken Munro specializes in the internet of things. He knows this stuff first-hand, because he's discovered and demonstrated a number of security vulnerabilities, including the hackability of smart thermostats.

He said the scary part for most of us is that we might not even know our devices have been used in such a cyberattack.

Cyber security expert Ken Munro, seen here giving a hacking demonstration, says the problem of hacked smart devices is 'going to get a lot worse before it gets better.' (Pen Test Partners/YouTube)

"As a consumer, it's going to be quite hard to tell," he said.

"If your device has joined the botnet, you might notice your internet bandwidth decreasing. But you might not notice. If it's a well-designed botnet, it'll only be a few packets going out from lots and lots and lots of devices. So it's a bit like stealing one cent from every bank account. It's only a cent, but if you steal a cent from every bank account, you've made a lot of money."

What should I look for in a smart home device?

Munro says if you're considering something like a smart thermostat or an internet-connected baby monitor, go for a brand name you recognize and trust.

"That's not to say they're not vulnerable, but the manufacturers of big brand-name products tend to be more responsive to fixing bugs when they are found," he said.

Ken Munro says the easiest way to avoid having a smart home device like a thermostat hacked is simply not to have one at all. (Ann Hermes/Christian Science Monitor/Getty Images)

Of course, he says the easiest way to avoid having your smart home device hacked is simply not to have one.

"I've been in in this field 20 years, and I have a very dumb thermostat," he said.

"Take from that what you will."

Nest smart thermostat outages highlight issues with smart home technology

Will we see more cyberattacks using the internet of things?

Absolutely, for a few reasons.

First, the install base for internet of things devices is only getting larger, with so many new consumer electronics getting internet connections. As the install base grows, these devices become more and more attractive for things like botnets.

Second, the default security on these devices is, relatively speaking, quite low.

And finally, once security vulnerabilities are identified, manufacturers tend to be slow to fix them. These days, it's pretty simple to update your computer or smartphone to the latest, most secure operating system — less so for smart home devices.

"We haven't seen the half of it yet," said Munro.

"This problem's going to get a lot worse before it gets better."