Home hackers: Digital invaders a threat to your house

ABC7 I-Team Investigation

ByChuck Goudie and Ross Weidner WLS logo
Friday, February 13, 2015
Home hackers
The I-Team's investigation of everyday home products reveals digital back doors that could be leaving your family vulnerable to attack.

CHICAGO (WLS) -- The ABC7 I-Team uncovered how your high-tech house could be opened by criminals.

Hackers aren't just after your online data. Now, wireless connections on everyday home products are creating new safety concerns for homeowners. The I-Team's investigation reveals digital back doors that could be leaving your family vulnerable to attack.

Chicago-based security researcher Matt Jakubowski took us on a tour of internet-connected home devices with big security vulnerabilities. For our demonstration, he's hacked these popular smart devices from inside his own home.

"This is a thermostat that is hackable," Jakubowski said.

The attack begins on this thermostat. With a few keystrokes he installs his own logo on the equipment, but a real attacker wouldn't leave a trace.

"Now we're going to be able to gain access to this and so an attacker would maybe take it back to the store without changing that logo and return it, make it look like it's never been opened. The store will just put it right back on the shelf ready for the next person to buy, then they're going to install it in their home and not even know that they had a back door installed," Jakubowski said.

Experts say inserting a backdoor on a device that you then buy for your home is just one way hackers could get inside your network. Weak security on home wireless networks is another targeted entry point.

"It's the network you need to protect, and that access in," said Jeremy Hajek, a professor at Illinois Institute of Technology.

Hajek cracked a common home router with brute force by using a hacking program to try every possible password combination until it spit out the network key - and he was in.

"Once you can get the network key, basically you can then, it's as if you were in the person's house, you were another device, because you're on their network," Hajek said.

Back at the hacked house, the attack continues.

"Get in through the thermostat, get access to that network, find this device sitting there and then control the lights," Jakubowski said.

After taking control of these smart lightbulbs from a smart device hub, we head outside and hack this WiFi security camera.

"We're able to view the camera and if this were located somewhere else in the house, we could see if anyone was in the house. For this we have it in the garage, and we know that no one is in the house, so if we wanted to, we could start opening the garage right now. Just with a click, it connects to the device and the door opens," Jakubowski said.

The WiFi garage door opener is now compromised.

ABC7's Chuck Goudie: "From this point, you're essentially into the house."

Jakubowski: "Now we're inside the house."

Goudie: "Could you turn off a security system through this as well?"

Jakubowski: "Yeah, we could turn off the camera now, make sure that they don't get any alerts that something happened, go in, do whatever we wanted to do, walk out, turn everything back on, and it's like nothing even happened."

Goudie: "Would there be a record of this on their security devices?"

Jakubowski: "Not the way I'm doing it."

Our expert says the garage door opener was the most secure device on the network, and even so, it was vulnerable to attack.

Just like the security camera we hacked in the garage, unsecured webcams are easily compromised and the videos are often linked online. The I-Team uncovered glimpses you might not expect, from inside a home to businesses - even catching a yoga class on a tennis court.

"The camera we used was just for the garage, but it could be installed anywhere. It could be installed in your child's room, watching your child at night, maybe your baby and see it was sleeping, it could potentially open up a world for attackers to view," Jakubowski said.

Manufacturers of the smart devices hacked by our expert say security is top priority for their companies and recommend always keeping the software of smart products up to date while using strong network passwords. The manufacturer of the hacked smart lights controller says their software has been updated to prevent this type of hack. The thermostat's manufacturer said our expert's access required contact with the device -- and to their knowledge, no device has ever been hacked remotely. The smart garage door manufacturer says they are actively investigating the vulnerability our expert uncovered.

FULL COMPANY STATEMENTS

Nest Thermostat: "All hardware devices - from laptops to smartphones - are susceptible to jailbreaking, this is not a unique problem. This is a physical jailbreak requiring physical access to the Nest Learning Thermostat. If someone managed to get in your home and had their choice, chances are they would install their own devices, or take the jewelry. This jailbreak doesn't compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely. Customer security is very important to us, and our highest priority is on remote vulnerabilities."

Wink Hub (lights control):

- It is best practice to always keep the software on your connected products up to date. These updates not only give you new features, but help keep your products secure.

- Wink makes frequent updates to our products and notifies users as soon as updates are available. With critical updates, users are required to update their products before continuing to use their products. That ensures they always have the latest features and security.

- Security is a top priority at Wink. We work with both internal and external security experts to ensure security standards are exceeded. We regularly have our products tested and audited by third-party security researchers.

- If users every have any questions about what they can do to increase their security, Wink is available 24/7 to answer questions and ensure your products are up to date.

Samsung SmartCam: "Samsung Techwin recommends that users take the necessary steps to secure their home wireless router and network, and also follow the instructions Samsung provides to properly setup their SmartCam. Following these steps will enable the provided high level security features and prevent unauthorized users from gaining access to a home's private network, as well as the camera. This includes first creating a strong password on your home wireless router to prevent outside intrusions, and creating an additional unique password when prompted during the set up process of your camera. When properly configured, the encryption will provide maximum protection and peace of mind."

Chamberlain MyQ Garage: "We appreciate ABC7 bringing this to our attention and we are actively investigating it. This situation is a good reminder to homeowners to keep their home WiFi networks secure with strong password and security settings, because an unprotected home network may enable a breach across many smart home devices. Chamberlain always takes the safety and security of your smart home very seriously."