Bitdefender has just published a report on serious vulnerabilities in Wyze home security cameras that, if left untreated, could enable hackers to tap into their camera feeds. With the smart home market expected to balloon to $3.27 billion in 2022, it’s no surprise that these smart devices are increasingly becoming popular targets for cybercriminals.  “When looking to purchase new security or IoT gear for the home, users should first do their due diligence beyond just price comparison,” Dan Berte, Director, IoT Security at Bitdefender, told Lifewire over email. “Just like a car, IoT devices come with varying features and safety measures; they are not all equal.”

Bubble Brained

Smart devices, also known as the Internet of Things (IoT), are traditional home devices, like TVs, doorbells, baby monitors, lights, thermostats, and all kinds of home appliances, connected to the internet to enable us to control and monitor them remotely.  Russ Munisteri, cybersecurity expert and Assistant Director of Education at MyComputerCareer, told Lifewire that while companies are tripping over each other to cram more features into their devices, security has unfortunately taken a back seat. “IoT devices have more of a focus on user-friendly features that are developed quickly, but lack in device and network security,” Munisteri said over email. The Bitdefender report is proof that smart devices with weak or improper security measures can lead to disastrous outcomes and turn security devices into spying tools. Last year, security researchers at Nozomi Networks uncovered a flaw in software that’s used on all kinds of smart devices and could be exploited to spy on people through baby monitors, home security cameras, and smart doorbells.

Caveat Emptor

Given the risks, Matt Tett, Advisor & Subject Matter Expert at IoT Security Trust Mark, suggests people looking to buy new internet-connected devices for their homes should never do so without considering the security, safety, and privacy settings of the products. Berte suggested sticking with reputable brands and avoid being suckered in by cheap unknown brands. “Often, these [unknown brands] cut corners in development and manufacturing, including security measures,” shared Berte. In fact, security firm A&O IT Group has previously shared details about the lax security measures in a couple of cheap and widely used smart plugs, which could leak their owner’s Wi-Fi credentials. All IoT security experts unanimously suggest that before buying a smart device, people should make sure these devices use encryption and that they push security updates and patches automatically. Berte added that the really good ones would also host bug bounty programs, which are invitations to third-party security researchers to find flaws in the devices for monetary awards. But that’s not the end of it. Most, if not all, IoT devices ship either without a password or with a generic one, which many people don’t ever change. Bulletproof recently found over 200,000 Raspberry Pi devices connected to the internet whose owners hadn’t bothered to change the default password. In addition to setting a strong password, Munisteri also suggested disabling any unwanted features in the devices. “Enabled features are vulnerabilities waiting to be exploited. I stressfully recommend combing through each setting and disabling anything that is not needed,” emphasized Munisteri.  Additionally, all experts also suggested connecting smart devices to a network that’s separate from the one used by other devices that contain valuable data, like laptops. If that isn’t possible, Berte recommended adding an extra layer of security to protect the IoT devices from hackers, viruses, and spyware, using security firmware such as Netgear Armor. However, the responsibility of security smart home IoT devices isn’t the sole responsibility of owners. Tett shared that the current good practice advice globally is for the manufacturers of consumer IoT devices to incorporate good security measures in their products from the start, rather than trying to bolt them on afterward. “The responsibility for providing good security, privacy, and safety mechanisms should start with the manufacturer, not the consumer,” said Tett.