
40% of Smart Homes at Risk to Hackers - 1dunn0
https://sensorstechforum.com/smart-homes-at-risk-to-hackers/
======
perlgeek
Only 40%?

Considering all the shit shows I've seen with "smart" devices, I think a
dedicated adversary could break into pretty much all smart home setups, and
I'd guess more than half would be vulnerable to scripted/automated attacks.

~~~
ams6110
These devices have vulnerabilities, sure, but how exploitable? Any device on
my network has a non-routable IP address it gets via DHCP, and the only port I
have open on my public network is SSH which is forwarded to one specific
internal IP address.

~~~
michaelt
Back in the day, you could reboot some people's routers anywhere you could
embed third-party-hosted images with tricks like:-

    
    
      <img src="http://192.168.0.1/admin/reboot.htm?Reboot=Reboot">

------
mrweasel
The popularity of "smart devices" continues to baffle me. There is simply no
way that I'll install any type of smart anything in my home.

Security is certainly one aspect, but more than anything: I don't need yet
another device to manage! I deal with enough badly design software at work
every single day. Having yet another piece of software flake out when I get
home is extremely low on my list of wishes for the future.

We can't even get smart TVs right. You have to go out and pay for a smart TV,
ensure that it's only online long enough to get the firmware updated and then
you have to buy something like an AppleTV on top of that to actually get
streaming to work smoothly.

~~~
close04
The title seems like a bit of a misrepresentation of the content due to the
particular definition they use in the report for a "smart home". The notion of
_smart home_ usually refers to home automation and recently to IoT [0]. But
you will notice that the definition here is "having any kind of device that
can be hacked, except computers and smartphones which won't be considered".

> The majority of connected devices users have at home are still computers and
> smartphones which connect via Wi-Fi through the home router. _Excluding
> these three types of devices_ [...]

> Top ten smart home devices per country ( _excluding PCs, smartphones_ , and
> routers)

Having a router is enough to treat it as a "smart home" and it appears they
are the most hacked device. IoT doesn't actually feature too prominently in
the report, despite the title.

[0]
[https://en.wikipedia.org/wiki/Home_automation](https://en.wikipedia.org/wiki/Home_automation)

------
Someone1234
Original source (PDF):

[https://cdn2.hubspot.net/hubfs/486579/avast_smart_home_repor...](https://cdn2.hubspot.net/hubfs/486579/avast_smart_home_report_feb_2019.pdf)

Avast have a vested interest in selling security products, so their claim that
(paraphrasing) "if one device is vulnerable then the entire home is
compromised" isn't at all surprising. Easy way to get that 40.8% figure.

The publication is quite clearly an ad for their Avast Wi-Fi Inspector
product.

~~~
vvanders
Yeah, I'm seeing more and more people pick up products like UniFi, and putting
IoT stuff over on a Private VLAN so that they only get to talk to the gateway
and not be able to pivot to anywhere else on the network.

~~~
digitalsushi
I put some thought into this last month. There are not a lot of consumer grade
routers out there that support multiple LANs. Once you get into the business
edge router type gear, it starts to become pretty easy. There's a few brands
that will do it, and certainly a pfsense appliance on an x86 system with a few
network adapters will do it. Running a router on an old computer is getting a
bit out of style though...

My solution is really quite shoddy but it satisfies me. I took an old router
and set it up with its WAN as a LAN client, and its LAN as an IoT network. The
router does not have NAT translation on the LAN interface. It does however
perform NAT on the openvpn interface. My new IoT network, which is on its own
vlan/ssid/however I split layer 2, runs the packets through the vpn and out
onto the Internet in some other network, and in theory never shall the two
LANs touch. If the vpn goes down, there is no NAT to leak them out my home ISP
directly. Sure, I'm doing double nat, but for my IoT stuff, who cares. It's
just dye going in the river, just make it go away from me.

I adopted a recurring cost of 3 bucks for a vpn. But I didn't have to get
shiny new gear or run an entire computer. My little way for the sake of
sharing. Love to hear any criticism of it since I am still thinking about it
quite a bit.

~~~
zyzyl
An obstacle here is that most of these business routers don't support UPnP. I
don't want to argue the merits or pitfalls of UPnP, what's relevant is that
lack of it becomes an obstacle to online play for modern video game systems
such as Xbox. Add to that scenarios where router type is mandated by a
particular ISP (Verizon in the US is applicable here) and there's quite a few
scenarios where people may have the ability t manage such a protection scheme
but other factors get in the way.

------
pnw_hazor
I bought some name brand smart junk on Amazon day awhile back. Eventually I
got around to trying to set it up. The first thing it asked me to do was to
configure my router to expose the devices to open internet.

I immediately put it back in the box and haven't touched it since. I hesitate
to resell it because part me feels it is my civic duty to destroy it rather
than pass it along to another rube.

~~~
DoofusOfDeath
I'm adding RGBW LED strip lighting to my home office, and I wanted the option
to eventually control the lights programatically. This was my first foray into
home automation, and I settled on using Z-Wave for the communications.

AFAIK, the typical design for Z-Wave systems is to route most/all control
through a home-automation "hub" (IIRC the terminology correctly). I was
alarmed at the number of hubs for sale that required connectivity to the
outside Internet.

I've decided to use a Raspberry Pi (with a Z-Wave modem) with a home-
automation distro for my hub, and one of my main motivations was to avoid this
huge external dependency / attack surface.

I feel bad for people with less savvy or computer skills who don't realize the
potential hell they're risking.

------
mikethepie
Isn't this certainly a massive underestimation

~~~
dvdkon
The HN headline is definitely ambiguous and, I'd say, wrong. Anything is "at
risk to hackers" if you include all varieties of cracking (not just remote
exploits, but physical attacks, social engineering...).

The site's current headline ("40% of Smart Homes Currently Vulnerable to
Hacking") is somewhat better ("vulnerable" instead of "at risk"), but they
clarify in the first paragraph ("... are vulnerable to remove (sic) hacks
...").

------
driverdan
This is blogspam for Avast's report:
[https://cdn2.hubspot.net/hubfs/486579/avast_smart_home_repor...](https://cdn2.hubspot.net/hubfs/486579/avast_smart_home_report_feb_2019.pdf)

I took a quick look on Avast's blog and didn't see this report. I'm not sure
where it came from.

------
rc_mob
I don’t care anyways, I only installed smart devices to make my wife happy. I
don’t cate if my garage door opener gets hacked.

~~~
DoofusOfDeath
> I don’t cate if my garage door opener gets hacked.

Wouldn't that be an easy way for burglars et al to gain entry to your house?

------
skummetmaelk
Correction: 100%.

