On the Money

Suddenly hot smart home devices are ripe for hacking, experts warn

Hacked at home
VIDEO2:0302:03
Hacked at home

Will 2017 be the year your home becomes under attack from cyber criminals?

Experts expect the number of attacks on the Internet of Things (IoT) will likely increase in 2017. IoT includes devices like webcams, DVRs and connected thermostats that make life easier for homeowners, but are susceptible to cyber-intrusions.

These gadgets add conveniences like locking your door or shutting off the lights all from a smartphone app, but they come with certain risks, experts warn.

"The sharks have smelled the blood in the water and they're now circling to use your IoT device for further attacks," said James Lyne, global head of security research for Sophos, a U.K.-based cybersecurity company.

The concerns about technological vulnerabilities come as experts say smart home devices are hot gifts this holiday season. The growing reach of smart devices makes the dangers more acute, some say.

"I think we're going to see real strength in the Internet of Things and it's not just your thermostat, it's going to be everything in your house, your refrigerator, your washing machine, your dishwasher," Jan Kniffen, a consultant specializing in retail and CEO of J. Rogers Kniffen Worldwide, said on CNBC's "On The Money" recently.

Despite the proliferation of smart gadgets, Kniffen suggested consumers were either unaware or unconcerned about hacking risks—and not taking appropriate measures to prevent them.


'More insecure than secure'

Intel Smart Home coffee maker and tablet.
Harriet Taylor | CNBC

In October, hackers took over 100,000 IoT devices and used them to block traffic to well-known websites, including Twitter and Netflix.

"This is just the beginning of cybercriminals finding ways to creatively use the internet of things. Almost like a test attack," Sophos' Lyne said.

The type of attack is known as a distributed denial of services (DDoS).

"To translate it to the physical world, you know when you go to a shop you've got a revolving door," Lyne continued. "It's like getting a ton of your friends to go to this shop and all run around in circles in the revolving door, so no actual customers can get inside," Lyne said.

While the attack is not believe to have cause any lasting damage, sometimes DDoS attacks are used to cover more damaging attacks.

"We've seen cybercriminals previously launch these big attacks against websites to draw everyone's attention in, whilst in the background they conduct a more sinister attack of a financial nature," said Lyne.


I think all of us, from industry to individuals, to government are going to have to up our game in terms of making sure these devices are safe from the very real threat of cyber hackers.
Mark Warner
U.S. Senator

This was the first wide-scale attack that used these devices, but as more a more consumers add the devices to their home, attacks are expected to grow.

"We're going to go from 12 billion devices we currently have, to over 30 billion devices by 2020, all interconnected. That's going to add to the ease of our life but if all these devices are easily hacked into it could mean we could have a whole new host of security concerns," said Sen. Mark Warner, a Virginia Democrat. Warner is a member of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus.

Smarthome devices are vulnerable because of poor programming. "Devices like these often come with a really bad and easy to guess username and password," Lyne said.

Cybercriminals then take over IoT gadgets by searching the web for those with default passwords. Guessing the password allows the hackers to take over the device and harness its processing power for attacks.

Accordingly, a closed caption television camera or DVR "is enough of a reason to attack you so that you can be useful to attack other people. You are a target," said Lyne.

Many of the devices used in the October attack were recalled by Chinese manufacturer, Xiogmai. But according to Lyne, many vulnerable devices are still for sale.

"Chances are right now if you're buying an Internet of Things device, you're more likely to be buying something insecure, than secure," he said.


To help manufacturers, the Department of Homeland Security released strategic principles for IoT just last month, calling it "a matter of homeland security."

However, the principles are not binding or regulatory and experts told CNBC more needs to be done. "To the vendors, you've got a very small window. The cybercriminals have noticed the abhorrent lack of security," said Lyne.

"I think all of us, from industry to individuals, to government are going to have to up our game in terms of making sure these devices are safe from the very real threat of cyber hackers," said Sen. Warner.

To protect yourself, Lyne recommends first deciding if you really need a smart home device in the first place. "You should ask yourself seriously, do you want this device in your home right now, while the industry takes action to fix these problems," he said.

If you do use or buy IoT devices, you should change the default password and make sure to update the software.

"If you do have one of these devices, make sure you're running the latest version of the software, because lots of manufacturers have issued fixes," Lyne said.



On the Money airs on CNBC Saturday at 5:30 am ET, or check listings for air times in local markets.