How hackable are your smart home gadgets?

After last week's massive internet outage, now may be the time for a full audit of your smart home devices.

Ry Crist Senior Editor / Reviews - Labs
Originally hailing from Troy, Ohio, Ry Crist is a writer, a text-based adventure connoisseur, a lover of terrible movies and an enthusiastic yet mediocre cook. A CNET editor since 2013, Ry's beats include smart home tech, lighting, appliances, broadband and home networking.
Expertise Smart home technology and wireless connectivity Credentials
  • 10 years product testing experience with the CNET Home team
Ry Crist
11 min read
Tyler Lizenby/CNET

Last Friday saw a massive internet outage after hackers flooded Dyn, a major internet gatekeeper for sites like Facebook, Spotify and Netflix, with false bandwidthfrom an ocean of unsecured internet-connected devices.

Many of these devices were reportedly smart home gadgets using standardized manufacturer default passwords. It's alarmingly easy for hackers to search the web for these devices and then, with the right malware, take control of them en masse. From there, the hackers can use their army of hacked devices, called a "botnet," to overwhelm whatever server they aim it at.

The episode raises some serious questions about the smart home . More and more people are filling their living spaces with an ever-increasing number of internet-connected devices. That means more potential fodder for the next big botnet, and fears of even bigger attacks in the future.

Watch this: The Internet is having a bad day after massive cyberattack

There are a couple of key points to remember right off the bat to keep your home secure. First, and most importantly, strong passwords are an obvious must, both for your devices and for your home Wi-Fi network. Along those lines, you should also flat-out avoid gadgets that will let you operate them using a default, hard-coded password that comes with the device (usually something along the lines of "admin"). Gadgets like those are ripe targets for the kinds of attacks we saw last week.

Additionally, if you're looking to incorporate multiple devices into a larger platform, you should consider how thoroughly that platform vets third-party devices. Some set high standards for product security and won't let third-party devices onto the bandwagon until they meet them. Others simply want as many compatible gadgets on the market as possible.

Most of the smart home devices used in last week's attacks seem to come from lesser known manufacturers with shoddy security practices, including Chinese webcam-maker Xiongmai. But what about those larger platforms? What are they doing to keep your devices and your data secure? Are they at risk, too?

Let's break it down, one at a time.

Enlarge Image

HomeKit lets you control your smart home devices on your iOS device, including through use of Siri voice commands.

Chris Monroe/CNET

Apple HomeKit

Apple HomeKit is a set of software protocols for Apple 's iOS devices. Those protocols enable you to control compatible smart home gadgets using a standardized set of tools, apps and Siri commands on your iPhone or iPad.

Your HomeKit data is tied to your iCloud account, which never uses a default password. Apple vets and reviews the security of the devices themselves before the company approves them for the platform. Security has been a focus for Apple since HomeKit began, with stringent standards and end-to-end encryption at every turn.

What happens if a HomeKit device is breached? What can I do to prevent that from happening?

HomeKit-compatible devices are just gadgets that execute your HomeKit commands. You'll grant devices such as smart bulbs, switches and deadbolt locks access to your HomeKit data when you set them up, but that's just to make sure that they're up to speed on HomeKit's scenes and settings. It doesn't give them access to your iCloud account information.

Even if a hacker intercepted and deciphered a HomeKit gadget's communications (something Apple has made quite difficult), they wouldn't, for instance, be able to steal your iCloud keychain passwords, or view the credit card info associated with your Apple ID.

Just remember to set strong passwords for your iCloud account and for your home's Wi-Fi network.

Anything else I should know?

Apple 's high bar for security has been a bit of a headache for device makers, many of whom have to release new, upgraded hardware in order to be HomeKit-compliant. This is true even for big names like Belkin , which would need to release a brand new lineup of WeMo switches in order to hop on Apple's bandwagon.

That focus on security has arguably slowed HomeKit down, but it's the right approach. After all, devices with lax security standards and poor default password practices seem to be the biggest culprit in last week's DDoS attacks. Apple wants no part of that, and neither should you.

Enlarge Image

The third-gen Nest Learning Thermostat.

Sarah Tew/CNET


Nest started out as the maker of a best-selling smart thermostat, then added the Nest Protect smoke detector and the Nest Cam smart home camera to the lineup. After being bought by Google for a staggering $3.2 billion in 2014, Nest is a bonafide smart home platform at this point, complete with a long list of third-party "Works with Nest" devices.

How does Nest protect my data?

Per Nest's security statement, the company's apps and devices transmit data to the cloud using AES 128-bit encryption and Transport Layer Security (TLS). Nest Cams (and the Dropcams that preceded them) connect to the Nest cloud service using 2048-bit RSA private keys for key exchange. All Nest devices communicate with one another using Nest Weave, a proprietary communications protocol designed for enhanced security.

All of that is very good, and, for what it's worth, Nest claims that there are no known instances of someone remotely hacking a Nest device. In the case of the Nest Cam, you'll need to log in to your Nest account and scan a QR code before you can control the thing. The camera never defaults to a standardized, hard-coded password.

As for third-party devices that work with Nest, all of them are required to go through a rigorous certification process prior to any official integration. Here's how a Nest Labs representative describes it:

"We protect Nest products and services in the Works with Nest program by requiring developers to agree to robust data and product security obligations (e.g., data from the Nest API may only be held for 10 trailing days from when the developer receives it) in the Developer Terms of Service before getting access to Nest APIs. Nest has the right under this agreement to audit, monitor and ultimately to immediately terminate access to the Nest APIs (and therefore end any integration) for any developer that may pose a security risk. As always, we remain watchful for any security threats to our products and services."

Enlarge Image

The Amazon Echo and Amazon Echo Dot smart speakers.

Chris Monroe/CNET

Amazon Alexa

"Alexa" is Amazon's cloud-connected, voice-activated virtual assistant. You'll find her in the Amazon Echo line of smart home speakers , and also in the Amazon Fire TV voice remote.

Among many other things, Alexa can control a wide number of compatible smart home devices using voice commands. For instance, ask Alexa to turn the kitchen lights off, and she'll send that voice command to Amazon's servers, translate it into an executable text command and pass it along to your Alexa-compatible smart bulbs.

What happens if my Alexa devices are breached? How can I prevent that from happening?

Amazon's Alexa devices wouldn't be susceptible to any attack using a botnet since none of them use hard-coded, default passwords. Instead, users log in with an Amazon account.

As for targeted breaches of specific devices, things are a bit murkier. Amazon doesn't describe Alexa's encryption practices in great detail anywhere in the terms of service, which, in fairness, could very well be because they don't want to let potential hackers know their tricks.

It's also unclear if Amazon vets the security standards of third-party devices before it lets them work with Alexa. With an open API designed to make it quick and easy to create an Alexa skill for specialized smart home control, the emphasis seems to be on growing the platform quickly, and not necessarily on ensuring that things are as secure as possible. There doesn't, for instance, seem to be much stopping the makers of the kinds of devices that got swept up in Friday's botnet attacks from jumping in with an Alexa skill of their own.

In other words, don't assume that a device has high security standards just because it works with Alexa.

Enlarge Image

A second-gen Samsung SmartThings starter kit.

Tyler Lizenby/CNET

Samsung SmartThings

Acquired by Samsung in 2014, SmartThings is a hub-centric platform for the connected home. Along with the system's own sensors, you can connect a wide variety of third-party smart home devices to a SmartThings setup, then automate everything together in the SmartThings app.

SmartThings' sensors communicate using Zigbee, which means that they aren't internet-connected and therefore aren't directly susceptible to a botnet attack. The hub, which plugs into your router, stays in communication with SmartThings' servers; a SmartThings representative says that the company is able to keep that link secure.

As for third-party devices on the platform, the SmartThings rep pointed to the "Works with SmartThings" certification program and pointed out that none of the devices listed in last week's attacks were devices that SmartThings had ever certified.

"Botnet prevention of this basic nature is part of the WWST reviews process," the rep added. "Any hard coded password, whether default or otherwise, would be a deal breaker for the SmartThings review and certification process."

Enlarge Image

The Belkin WeMo Insight Switch.

Colin West McDonald/CNET

Belkin WeMo

In addition to app-enabled coffeemakers, humidifiers and slow cookers, Belkin's WeMo line of smart home gadgets centers around Wi-Fi smart switches that connect with your local network, which allows you to remotely power your lights and appliances on and off using the WeMo app.

Belkin's WeMo devices aren't password protected, instead, they rely on the security of your Wi-Fi network. That means that anyone using your network can pull up the WeMo app to view and control your devices.

How does Belkin protect against breaches? What can I do?

I asked Belkin's team about WeMo's security practices -- they informed me that all of WeMo's transmissions, both locally and to Belkin's servers, are encrypted using standard transport layer security. Here's the rest of what they had to say:

"Wemo firmly believes that the IoT needs more robust security standards to prevent widespread attacks such as what happened on Friday. We have a dedicated security team that works at every part of our software development life cycle, advising software and systems engineers in best practices and making sure Wemo is as secure as possible. Our devices are not discoverable from anywhere on the internet outside the home's Local Area Network and we do not modify the home router's external firewall settings or leave any ports open to allow exploitation. We also have a mature and robust security response process that allows us to respond quickly and decisively to push out critical firmware updates in the event of a vulnerability or attack."

Belkin's team deserves some credit on that last point, as they have a good track record of responding in a timely fashion whenever a security concern arises. That's happened a few times, including vulnerabilities discovered in 2014 that would let hackers impersonate Belkin's encryption keys and cloud services to "push malicious firmware updates and capture credentials at the same time." Belkin issued firmware updates addressing those weaknesses within a matter of days.

Enlarge Image

The Philips Hue Bridge and a color-changing Philips Hue smart bulb.

Tyler Lizenby/CNET

Philips Hue

Philips Hue is a major player in the smart lighting game with a robust, well-developed connected lighting platform and a growing catalog of automatable smart bulbs, many of which will change colors on demand.

Hue bulbs transmit data locally in your home using Zigbee and don't connect directly to the internet. Instead, you plug the Hue Bridge control hub into your router. Its job is to translate the bulbs' Zigbee signal into something your home network can understand and to act as gatekeeper for communications sent back and forth to Philips servers, such as a user logging into the app to turn a light bulb off from outside of the home network, for instance.

How does Philips keep its Hue devices secure?

With regards to the types of DDoS attacks that happened last week, George Yianni, system architect for Philips Lighting Home Systems, said each Hue Bridge has a unique verification key. If one Bridge were to be compromised, hackers wouldn't be able to use it to take over other others and create a botnet.

Yianni also says that Hue devices transmit using standard encryption practices, and never transmit your Wi-Fi credentials, since the Hue bridge stays connected to your router via an Ethernet cable.

As with most smart home gadgets, you can help keep things secure by keeping your device firmware up to date and by setting a strong password for your local Wi-Fi network.

Enlarge Image

The second-gen Wink Hub.

Tyler Lizenby/CNET


Similar to SmartThings, Wink lets you sync various smart home gadgets with the centralized Wink Hub, then control everything together in the Wink app for iOS and Android devices.

Wink's security page reads:

"We have built an internal security team and are working closely with external security experts and researchers. We use certification encryption for all personalized data transmitted by the app, require two-factor authentication for system administrators, and are regularly conducting security audits to ensure we meet or exceed best practices for security. We even built our platform to stay safe if someone manages to get access to your home network."

I asked Wink founder and CTO Nathan Smith to elaborate on that last point, and he explained that Wink's philosophy is to treat every home network as a hostile environment, not a trusted one. As Smith puts it, "If a less secure IoT device on your home network is compromised, it has zero implications for your Wink Hub. That's because we don't provide local administrative access via any sort of interface to users or anyone else on your home network."

What else does Wink do to protect my devices?

As for botnets and DDoS attacks like the ones that happened last week, Smith points out that Wink uses a fundamentally different architecture than the devices that were affected, and calls Wink's approach "inherently more secure."

Wink's approach relies on Wink's cloud servers for remote access, and doesn't require users to open up their home networks in any way. To that end, Smith tells me that Wink refuses to work with any third-party device that requires you to open a port into your home network, in addition to other certification standards.

The takeaway

If you've made it this far, congrats. Parsing through smart home security policies is a dense job, and it's difficult not to feel like you're several steps behind would-be attackers, let alone one step ahead.

The most important thing you can do is to stay vigilant about setting strong passwords for all of your devices, as well as your home network. Changing those passwords periodically isn't a bad idea, either. And never, ever rely on a smart home device that comes with a built-in default password. Even if you change it to something stronger, that's still a clear warning sign that the product probably doesn't take your security seriously enough.

That said, it's reassuring to know that none of the major players listed above appear to have played a part in last week's attacks. That's not to say that they're impervious to hacks, but none of them are anywhere near as unsecured as the web cameras , printers, and DVR boxes that made up Friday's botnets.

The smart home still has a ways to go to win over the mainstream, and while security concerns like these certainly won't help in the short term, they could actually prove beneficial in the long run. After Friday's attacks, many consumers will likely be taking security more seriously than before, which means that manufacturers will need to do the same to continue growing their businesses. In the end, that could be just what the category needs.

Updated 10/27/16, 5:35 p.m. ET: Added comments from Nest Labs.