Securing the Smart Home Network: The Risks of the IoT


Securing the Smart Home Network: The Risks of the IoT

Zachary Comeau

Cybersecurity professionals say the Internet of Things is more like the Internet of Threats. Here's why.

The Internet of Things (IoT) has exploded in recent years as user demand for connectivity and remote management have soared, which in turn is boosting the smart home market and making home systems even easier to use and manage. Everything from routers, TVs, speakers, lights, power outlets, major appliances, heating and cooling systems, door locks, security cameras, sensors and more are now connected to the internet, but the majority of these new IoT devices are unmanaged and are poorly secured, security experts say, leaving smart homes vulnerable.

In fact, many IT and cybersecurity professionals–perhaps tongue-in-cheek–refer to the IoT as the Internet of Threats in reference to the inherent security lapses in many IoT-based smart home products, says Mark Houpt, chief information security officer at data center operator DataBank.

“What we’re really looking at with IoT scenarios are devices that are typically unmanaged that could be hacked … and utilized, as bounce devices or used as bots in order to attack other things and appear anonymous,” Houpt says. “So in other words, using an IoT device as a proxy for an actual attack that’s going on.”

Why is the IoT Insecure?

Many devices such as laptops, smartphones and other endpoints come armed with Windows, Google or Mac platforms, and thus come with a variety of security settings that can be changed to make these devices more secure. Why a cybercriminal would want to access those devices makes perfect sense, and the IT and security industries are continually adapting to address those ever-present threats. However, IoT devices are a different story, as they are being added to the network with security as an afterthought.

According to Houpt, many IoT devices are inherently insecure for two key reasons: neglect and the lack of an interface upon which to add security and hardening measures.

“On our microwaves, refrigerators, TVs–there aren’t a lot of options for us to go in there and turn on or turn off or on settings that make the devices more secure,” Houpt says. “You can’t add antivirus software on the TV or refrigerator.”

Essentially, the user is now fully reliant on what the manufacturer has put into their code.

“We don’t think about it, and therefore we don’t demand that we have the opportunity to put settings in place,” Houpt says.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) agrees, saying the rising prominence of the IoT is increasing the consequences of known cyber risks and creating new risks as well.

“Attackers take advantage of this scale to infect large segments of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, attack other computers or devices for malicious intent,” the agency says.

How IoT Devices Can Be Leveraged In Cyberattacks

In fact, there have been several recent examples of what Houpt describes: hacking campaigns leveraging IoT devices to spread malware, including one discovered by cybersecurity firm Palo Alto Networks that is spreading the Mirai botnet via a range of IoT devices, including both residential and business routers, access points, cameras, access control systems and others.

The Mirai botnet is essentially malware designed to infect smart devices running on ARC processors with the goal of turning those devices into a network of remotely controlled bots, per a definition from Cloudflare.

In this case, hackers have the ability to gain complete control over the compromised devices by exploiting vulnerabilities and using them to execute additional attacks, including distributed denial-of-service (DDoS) attacks, according to Palo Alto Networks.

The Mirai malware has been active since at least 2016 and has historically leveraged vulnerabilities in smart home IoT devices due to their relatively weak security compared to enterprise systems.

In its 2022 Digital Defense Report, Microsoft touches on the growing risk of IoT threats, which it says are becoming a favorite of hackers due to the lack of built-in security controls.

iPad iPhone Triangulation Vulnerabilities

According to Microsoft’s report, attacks against remote management devices have increased steadily since June 2021, and web attacks against IoT and operational technology (OT) devices have largely ebbed and flowed over the last year, with a large spike in the September 2021.

In the past year, Microsoft says it observed attacks against common IoT protocols—such as Telnet— drop significantly, in some cases as much as 60 percent. At the same time, botnets were repurposed by cybercrime groups and nation state actors. The report says the persistence of malware, such as Mirai, highlights the modularity of these attacks and the adaptability of existing threats.

Microsoft singles out Mirai, which the company says has been redesigned several times to adapt to different architectures and has evolved to infect a wide range of IoT devices including internet protocol cameras, security cameras, digital video recorders, and routers.

Attackers can then use lateral movement techniques to access other vulnerable devices on the network. Typically, this begins with an edge router, and attackers then look to move laterally to other devices on the same network.

As Palo Alto Networks notes, attackers can carry out a range of other activities in the IoT device, including encrypting the data for a ransom, wiping the data, using the device for cryptocurrency mining, or just bricking the device and rendering it useless.

In another example, Microsoft said last month that a China-based hacking group has been attacking critical infrastructure organizations by proxying its network traffic through compromised small office and home office network devices, to help stay undetected.

“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.

In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.

In fact, there are security vulnerabilities in a range of smart home products, including TVs, security systems, cameras, control systems and more. Integrators, dealers, builders and homeowners can search for security flaws in specific products or vendors in the MITRE database of vulnerabilities.

According to Houpt, while the homeowner may not be the intended target of such an attack, these hacking methods do result in a large volume of traffic going through the residential network and can bring speeds to a crawl. However, manufacturers of IoT devices–in particular smart home devices–are beginning to realize that risk and build in specialized security protections.

“We have seen some defenses be put in place for those,” Houpt says.

How to Secure Smart Homes and IoT Devices

According to Houpt and information from several U.S. agencies, here are several recommendations integrators, builders, property managers and homeowners should take to secure smart home devices and networks against these security threats:

  • Segment networks. Just like corporate offices have a separate Wi-Fi network for guests and other devices, smart homes should follow similar practices, especially for remote workers. According to Houpt this can be done with a VLAN, or simply by using a separate network connection and router for home entertainment and work. This can help prevent attackers from moving laterally from smart home devices to corporate devices and vice versa.
  • Secure Wi-Fi networks. Where possible, CISA recommends changing the default password and username in Wi-Fi routers and other devices. Logging into the interfaces on routers can also provide additional security options.
  • Harden app security settings. In some cases, IoT devices are supported by mobile apps, so these should also be updated routinely. In addition, CISA recommends users check app permissions and use the “rule of least privilege” to delete apps that are no longer needed.
  • Update. When vulnerabilities in devices or firmware are discovered, manufacturers typically fix them and issue updates that fix those security flaws. They should be applied as soon as possible to prevent compromise.
  • Enable multi-factor authentication (MFA). In any service or app that requires logging in, MFA should be enabled if it is an option. This will ask the user for additional information other than a password to grant them access to the app or service.
Last edited:
In fact, many IT and cybersecurity professionals–perhaps tongue-in-cheek–refer to the IoT as the Internet of Threats in reference to the inherent security lapses in many IoT-based smart home products, says Mark Houpt, chief information security officer at data center operator DataBank.

I prefer the 'the S in IoT stands for security' statement, but it's an oldie.

I have so many thoughts about all of this, I'll have to create separate posts about this. But all these concerns are why I'm still pushing so hard for this site to grow, as some of this knowledge is starting to disappear or has become more difficult to access.
I'm not worried for myself but most people don't know what they are buying or doing with stuff on their network. Also the people that are vulnerable are the ones who are not going to read articles like that.

Right to repair and other similar legislation for companies that abandon products be required to at least open source something to make them usable thus possibly reducing the number of security issues.
I can only imagine the number of outdated and insecure routers/firewalls that are out there. I bet 85% of the general public is running something insecure - and has no idea how exposed they are. This, along with the proliferation of consumer grade IOT devices and how many devices want you to open ports on your router for "easy access", has helped to create a dream environment for hackers.

I would only hope that most people on this site understand the risks better and have a better knowledge about how to prevent such attacks. It's not hard to protect yourself, but you have to use better (ie "business" grade) routers/firewalls and keep them updated. Use a locally hosted VPN for remote access, and don't open any other ports on your router/firewall. Segment your local network using VLANs as much as possible and keep your IOT devices on their own VLAN(s). Block devices from accessing the internet unless it absolutely requires it to work. Some IOT things (like streaming devices and "Alexa" style smart devices) require the internet to work, but there are plenty of devices on your network that don't need the internet to function properly. Things like cameras, appliances, lights, printers, etc. should all be blocked from the internet. This does two things.... First, it prevents them from "phoning home" to some unknown (usually Chinese) server. Second. you cut off the easiest way for hackers to access those devices. This is when having a VPN connection is important because you can still access all of these systems remotely via the VPN without having to allow those devices direct access to the internet.

Personally I have two VLANs reserved just for IOT devices. Both block the IOT devices from directly accessing any other part of my local network. Additionally, one VLAN allows devices to access the internet and the other VLAN blocks devices from accessing the internet. It makes managing IOT device's internet access extremely easy. I simply assign a new IOT device to the appropriate VLAN when adding it to my network and I'm done. Usually this is as simple as entering the WiFi credentials for the appropriate VLAN as each VLAN has it's own WiFi SSID. If it's a hardwired device, I have to assign it to (or plug it into) the correct VLAN in the network switch.

PS - Your phones and other mobile devices are IOT devices.... Don't allow them access to your critical network segments. Put them on their own VLAN and/or use firewall rules if you have some sort of special use case where you need to give them access to some parts of the network (perhaps your SageTV or other media server). But generally you can just give them internet access and that's it.

PSS - If you are using consumer grade IOT devices that require a remote server to function properly (and therefore require internet access), you need to look at replacing those devices with other devices that don't require the use of an external server. Not only is it infinitely more secure when you prevent those devices from accessing the internet, at some point that remote server is going to stop working (or the cost to connect to that server is going to become too expensive for you to continue using it) and your device will be worthless at that point. Unfortunately, too many of the "consumer grade" automation devices being sold today fall into this category (especially with security cameras and lighting systems).
Last edited: