Internet of Things home appliances leaving users vulnerable to cyber attacks, warns Kaspersky

Coffee machines, baby monitors and home security systems all have security vulnerabilities, say researchers

Internet of Things (IoT) connected devices are creating a security risk because at least one vulnerability can be found in any internet-connected device, researchers from Kaspersky Labs have warned.

The security company ran experiments on household smart devices including a coffee machine, a baby monitor, a USB dongle for video streaming and a home security system, and found that they could all be hacked, manipulated or used to expose the user's private information.

According to the researchers, the baby-monitor camera used in the experiment allowed a hacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Kaspersky also found that products from the same vendor allowed hackers to collect the user's passwords.

It isn't the first time a baby-monitor has been found to contain a vulnerability; last year a Russian website was discovered that allowed UK webcam and baby monitor feeds to be watched online.

Meanwhile, the coffee machine tested didn't even require attackers to be on the same network as the internet-connected machine for it to be hacked. It was broadcasting enough unencrypted information for a hacker to find out the passwords to everything on the users' IT network.

Researchers also found that an IoT home security system contained a vulnerability that allowed them to use magnets to disrupt its magnetic field, enabling them to open and close a window the system was meant to be protecting without it "noticing". Worryingly, Kaspersky discovered that it's impossible to fix this vulnerability, not even with a software update, an issue that makes the system fundamentally flawed.

The company warned that producers of IoT-connected devices must ensure that their items are rigorously tested before they're released onto the market.

"Any connected, app-controlled device, is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues - even those that are not critical," said Victor Alyushin, security researcher at Kaspersky Lab.

"These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners," he added.

As a minimum, Kaspersky suggests potential buyers of smart home devices search the web for news about the device they are considering, because if there's an issue the internet will know.

The firm also suggests that users shouldn't immediately buy brand new products, because they have security issues that haven't been found by researchers.

Christopher Millard, professor of Privacy and Information Law at Queen Mary University of London, has previously argued that the emergence of the Internet of Things is set to raise unsettling questions about online privacy and security.

Computing's Enterprise & Risk Management Summit takes place on 26 November 2015 and is free to attend for qualified end users. Register here.