Most hackable devices

hack security malware
Credit: Thinkstock
Consumer devices vulnerable

There are now more than 3 billion connected devices in use by consumers, according to Gartner, and this number will increase to 4 billion next year.

A big chunk of that increase will come as a result of the holiday season, when 65 percent of Americans say they plan to buy consumer electronics gifts, according to an October report by the Consumer Electronics Association. The amount of spending on tech will reach $34.2 billion, making the the biggest tech shopping season on record, according to Shawn DuBravac, CEA’s chief economist and senior director of research.

Many of these gifts are likely to be connected devices, including smart TVs, tablets, smartphones, notebooks and laptops, and video game consoles. In addition, a third of all consumers -- 33 percent -- plan to buy an emerging technology product this year such as as smart home devices, wearable fitness trackers, smart watches, and drones.

Unfortunately, many of these devices will make homes more vulnerable to hackers.

Tablets
Tablets

As with a smartphone, the security of a tablet depends mostly on its operating system.

Although iOS devices have occasionally been compromised, 97 percent of all malware targets Androids, according to a mobile threat security report from Pulse Secure.

The iOS ecosystem offers a couple of major security advantages over Android, including tighter control of the apps allowed in the app store, and Apple's ability to quickly push out security-related upgrades to all users. Android security updates, however, typically have to go through individual manufacturers, which can involve significant delays.

But tablets also have an additional level of risk.

"Tablets are used much in the way laptops are used and often contain work related documentation with sensitive information," said Bruce Snell, director of security and privacy at Intel Security. "But unlike laptops, tablets aren't treated with the same level of security, especially in a BYOD environment."

Smartphones
Smartphones

According to the Pew Research Center, 68 percent of U.S. adults now have a smartphone, and mobile shopping is expected to account for 30 percent of all online sales this year, according to Internet Retailer.

More than half of smartphone owners use mobile banking, and 1.4 billion people log into Facebook each month using their mobile devices.

"With new models of smartphones and tablets being produced multiple times throughout the year, these devices make ideal gifts for friends and family who want the latest phone to support their on the go lifestyle," said Snell.

But many users don't realize what a treasure these devices could be to potential criminals.

It's not just social media accounts, e-commerce logins and banking credentials that are exposed to hackers who are able to steal or remotely break into a smartphone. There's also emails, private photos and videos, work and personal contacts, login credentials for home and office networks, and saved location data.

Plus, attackers may also be able to activate a smartphone's microphone remotely and listen in to corporate meetings, or track the device owner's location.

According to Snell, a major factor affecting smartphone security, is, as with tablets, the operating system.

"The primary difference is between iOS and Android," he said.

User behavior is also a significant factor, studies show.

According to research released earlier this year by Kaspersky Lab and B2b International, 30 percent of Android phone owners don't protect their smartphones with passwords, and 44 percent of Android phone owners do not have an anti-malware solution installed. 

The recent growth in Bluetooth-enabled accessories makes a smartphone even more vulnerable, said Snell.

"Some devices use default pairing passwords for Bluetooth, like 0000 or 1234, allowing cybercriminals to pair and gain access to a device," he said.
 
And it doesn't stop there, he added.
 
"The biggest issue with Bluetooth connectivity is that it’s authenticated once," he said. "After pairing once, the device is considered trusted. This leaves the door open for impersonation or man in the middle attacks against the host device and the connected accessory."
Drones
Drones

The market for drones is still in its infancy, but as these devices get more popular they will increasingly become targets for hackers, said Intel Security's Snell. The attackers can use vulnerability to steal the drone itself, or, if it's used for deliveries, steal its cargo.

"The ability to remotely hack a drone connected to Wi-Fi is real," Snell said.

For example, this summer, at the Def Con security conference, a researcher from security firm Planet Zuda demonstrated how to hijack the Parrot drone, a popular drone brand.

Camera-enabled devices
Credit: Summer
Camera-enabled devices

This year has seen a spate of reports about hacked baby monitors, nannycams, and similar devices. Any connected device with a camera is potentially vulnerable, said Intel Security's Snell.

"There are numerous websites cataloging unprotected cameras displaying private video," he added.

Earlier this fall, for example, security firm Rapid7 reviewed popular baby monitors from six manufacturers and found that all had significant security problems such as lack of encryption for communications or stored data, and warned that this could just be the tip of the iceberg.

Attackers could use these devices to invade personal privacy, steal recorded videos, track when people were home, or use the devices to get access to the local network.

"It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker," researchers said.

The report got significant media attention, and most of the device manufacturers involved rushed to fix the problems.

"The issue noted within the report on baby monitors was resolved on Summer Infant's models within 48 hours," said a Summer Infant spokesperson.

TRENDnet found that attackers would not only need physical access to the camera but would also have to rewire the circuit board to exploit the vulnerability, but patched the vulnerability, and the firmware upgrade is available and all users notified either through the email addresses they registered their products with, or through the website next time they log into view their video.

The Philips product involved, the In.Sight Wireless HD Baby Monitor, is a discontinued product that had been produced by another company, Gibson Innovations, under the Philips brand name. The two companies worked together and fixed the problem in September, shortly after the Rapid7 report came out. The companies updated the affected cloud services, updated the firmware, and updated both the Android and iOS apps.

Elnaz Sarraf, VP at iBaby Labs, said that his company has taken a number of steps to resolve the security concerns raised by Rapid7, including securing communications between the monitor, the apps, and the associated cloud service.

According to a spokesperson from Gynoii, the company has already upgraded the product with new firmware, and existing customers will be able to download the new firmware within the coming week.

As of deadline, Lens Laboratories has not responded to our request for comment.

Children's gadgets
Credit: Sphero
Children's gadgets

According to Snell, devices that connect children to the Internet can allow criminals to target both the child, and the family. For example, many children use their parents' email addresses and devices to access the apps that control their gadgets.

"If the child's mobile app is infected, it gives a hacker direct access to the parents’ data," said Snell. "This can result in malware being installed and spearphishing."

One such toy is the Star Wars tie-in, the BB-8 Droid by Sphero, which can be remote controlled with a smartphone app.

"The weak link isn’t just in the communication protocol between the phone and BB-8, there’s also a risk of modification to the toy’s firmware as well," said Chris Rouland, founder and CTO at IoT security firm Bastille Networks.

Another hot toy this season is the Hello Barbie doll from Mattel, he said.

"According to the doll’s FAQ, an Internet connection provides connection to ToyTalk’s cloud where thousands upon thousands of lines of dialogue are stored," he said. "Of course, the vendor policy states that it takes great care of recorded conversations."

Smartwatches
Credit: LWYang
Smartwatches

Earlier this year, HP tested 10 of the most popular smartwatches and found significant security problems with all of them. Half, for example, did not have a passcode or other lock mechanism, so that anyone who picked up the watch could get into it.

Many had problems with distribution of security upgrades, with authentication, or with encryption. The apps associated with the devices also had security issues, posing risks to personal privacy. And if hackers are able to access a smartwatch, they could potentially also gain access to the mobile device or network it's connected to.

In addition, according to Daniel Miessler, HP's head of security research, the market is so new that it's difficult for consumers to learn about the security issues with specific devices.

For example, HP itself did not release the brand names of the watches that were tested.

Fitness trackers
Credit: Fitbit
Fitness trackers

According to Intel Security's Snell, a hacker who broke into a fitness tracker device or its associated website could potentially access private information.

But, more than that, hackers could use the device to get into the associated smartphone, tablet, computer or home network that the fitness tracker connects to, said Intel Security's Snell.

"It’s a gateway device," he said.

And, in fact, in October, a security researcher from security firm Fortinet demonstrated that the popular Fitbit fitness trackers could be attacked via their Bluetooth connections.

But Sash Biskup, director of security  at Fitbit, said that while an attacker could send data to a Fitbit and see that data echoed back, there was no security vulnerability involved, and that it was impossible to send this data on to a connected computer or use the software bug to spread malware.

"There is no vulnerability with this software bug," he said. "It is not possible to make our client do anything with this data. We spent a lot of time looking at this."

Fortinet, however, is not backing down from its assertion that Fitbit has a vulnerability that allows an attacker "to inoculate a Fitbit device with arbitrary code that could be sent to computers that the device connects to over a Bluetooth connection."

"We stand behind the statement," said Sandra Wheatley Smerdon, the company's VP for global corporate communications. "I’m not aware if Fitbit has since fixed the vulnerability and we have not updated our research."