Support 100 years of independent journalism.

  1. Spotlight
  2. Cybersecurity
12 October 2022

“You can Google how to hack a smart home hub,” warns security expert

MPs were told that connected home devices are particularly vulnerable to cyberattacks.

By Sarah Dawood

Smart home products are becoming more and more integrated into our daily lives, from voice assistants to smart speakers, doorbells and heating systems. Security, however, is not keeping up with technological progress, cyber-experts told the Digital, Culture, Media and Sport (DCMS) Committee in parliament this week, while manufacturers are not sufficiently warning consumers of the privacy risks associated with their products.

How many people use smart home devices?

In 2021 there were more than 258 million “smart homes” globally, Statista estimated. These are homes that have a central hub, such as an app, linked to at least two connectable consumer products. According to the UK government there could be up to 50 billion connectable products worldwide by 2030, and on average there are currently nine such devices in each UK household.

Why are connected devices at a higher risk of being hacked?

Smart home products have numerous benefits, including automating mundane and time-consuming tasks and helping people with limited mobility. The potential risks include privacy intrusions, data hacking and householders’ physical safety being compromised (for example, if someone were to hack smart locks). According to a Which? investigation a smart home could face more than 12,000 scanning or hacking attempts in a single week.

George Loukas, professor of cybersecurity at the University of Greenwich, told the committee that connected home devices are particularly vulnerable to hackers due to their large supply chains, alongside the fact that they are designed to be left on permanently, whereas a laptop will be switched off. He added that there are enough flaws that some of his students search for vulnerabilities in smart home systems and submit them to manufacturers for a monetary reward on a weekly basis.

The problem starts with the design of devices. Cybersecurity and electronic engineering are separate disciplines, Loukas said, and are taught in different university departments, which means that skilled computer engineers often have little knowledge about keeping devices secure.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU

It’s also very easy to learn how to hack nowadays, said Simon Moore, director for strategic engagement at the cybersecurity company Palo Alto Networks. “Today, you could Google ‘how to hack a BT home hub’,” he said. “That’s out there.”

Content from our partners
Why public health policy needs to refocus
The five key tech areas for the public sector in 2023
You wouldn’t give your house keys to anyone, so why do that with your computers?

What laws are in place to regulate connected home devices?

The Product Security and Telecommunications Infrastructure Bill is making its way through parliament; it is intended to make connected devices more secure against cyberattacks, and better protect individuals’ privacy and security. It will also require the smart device supply chain – manufacturers, importers and distributors – to comply with security requirements, and it will enforce stricter rules around “insecure” products being available in the UK.

What more could the government be doing?

Loukas said that smart device manufacturers should be mandated to disclose any cyber-risks associated with their products, so that people can make more informed decisions. “It’s a matter of risk management, [and whether the] benefit is so significant to override any concerns,” he said. “If you are extremely stressed that someone might break into your house, then maybe when buying a smart lock, you should be alarmed about the likelihood of [it] failing.”

There should also be better advice on the safe disposal of old devices, he added. Businesses and consumers should be informed of when to stop using outdated equipment that can no longer support software updates, said Matt Lewis, research director at the IT security company NCC Group. The government could also introduce an official certification system for smart home products to ensure manufacturers meet security standards.

Teaching in schools about cybersecurity should be improved, added Loukas; he said that knowledge in this area lags behind social media safety. “From that perspective, education is far behind when it comes to ‘Internet of Things’ security,” he said.

The government could also support internet service providers such as BT or Virgin Media to play a bigger role in helping customers, said Moore, because they are perfectly placed to monitor internet traffic and spot whether a device has been compromised.

What can individuals do to protect themselves?

The experts gave three simple tips that anyone could follow to improve their cybersecurity: use a password protector, which stores multiple passwords; use multi-factor authentication for any device that allows it; and ensure you do regular software updates.

The National Cyber Security Centre is a useful resource to help individuals and businesses. Read about using smart home devices safely here, and general tips about staying secure online here.

Watch the parliamentary committee session in full here.