We hired ethical hackers to hack a family's smart home — here's how it turned out
Vulnerabilities revealed in smart home devices prompt 1 manufacturer to immediately beef up protections
All it took was a white van, a team of three hackers and a phishing email to remotely unlock Johanna Kenwood and Peter Yarema's front door.
The couple's home in Oakville, Ont., is automated with a number of smart devices, including their lights, thermostat, security cameras and the deadbolt on their door.
"I like the security and knowing what's going on in my house when I'm away," said Kenwood.
- Watch Marketplace at 8 p.m. on Friday on CBC TV or online.
And the couple enjoys the "convenience" of an automated home, said Yarema, for "some of the simpler things," like when your hands are full, and you need a light on.
They aren't alone. According to Orbis research, the global industry for smart home devices is predicted to grow more than 300 per cent by 2023.
But a Marketplace investigation shows that this convenience may come at a cost to your privacy, especially if you lack the know-how to properly secure these devices.
Security was a key consideration for Kenwood and Yarema when they shopped for their devices. So the couple was shocked by how easily a team of ethical, or "white hat", hackers hired by Marketplace took control of their devices — a series of tests done with the family's permission.
Normally hired to check the security of complex IT systems, the team from Scalar Decisions was instead tasked with testing the security of the family's smart home.
Could smart home devices be vulnerable to hackers? Earlier, CBC Marketplace's Makda Ghebreslassie and security expert Theo Van Wyk answered your questions.
Sitting in a van on the street outside, the Scalar team managed to crack the family's Wi-Fi password in less than two hours. The same password had been used to set up the thermostat, allowing them to remotely turn the heat up or off completely.
'We have a child in here'
The hackers then turned their attention to the family's front door. Using a sophisticated phishing email, the ethical hackers managed to trick Kenwood into giving them her log-in details for her home hub.
The family uses a Wink Connected Home Hub, allowing them to control their lights and front door with a smartphone app.
After receiving the email, Kenwood believed she was logging onto the Wink website, when instead she was handing her password over to the hackers. With full access to her account, they were able to unlock the couple's front door and enter the home.
That password had also been used by Kenwood across other accounts, including the family's Nest security cameras, allowing the team to log in and view what was happening inside the home.
And it gave the hackers the ability to send voice commands to the couple's Amazon Echo, where they could potentially place Amazon orders using Kenwood's stored credit card information.
"It's terrifying that they're able to get into so many devices," said Kenwood. "It's our home ... we have a child in here."
After seeing how their smart home could be hacked, the family's first step would be "taking the door lock off the Wi-Fi," said Yarema.
'Be alert for phishing emails'
Reusing the same password across multiple accounts — something many of us are likely guilty of — made the family's home less secure, said Arsenii Pustovit, leader of Scalar's ethical hacker team.
"You want to have different passwords for each of your online accounts," he said.
Since most of us struggle to remember multiple passwords, he suggests using something called a password manager. It generates complicated passwords for each of your online accounts, but you only have to remember one password — for the manager — to unlock them all.
Another suggestion is to use passphrases by grouping three or four words together, creating longer codes that you can still easily remember.
And "be alert for phishing emails," Pustovit warns. Hackers can often send very convincing emails, asking you to provide your username and password.
Check to make sure the email comes from an address the company has previously used to communicate with you, Pustovit advises."If you are still in doubt, consider contacting the company directly," he said, to confirm it is genuine.
Why manufacturers could be doing more
Device manufacturers should be doing more to keep us secure, according to Pustovit.
Had companies like Nest and Wink required two-step authentication, he says his team wouldn't have been able to so easily access the family's cameras or open their front door.
Two-step authentication ensures you can only access your account using a trusted device. If someone tries to log in on a new device, a code is automatically sent to the trusted device, like your phone. Without this code, a hacker can't access your account — even with your password.
Marketplace reached out to Wink, Nest and Amazon to share these findings.
In response, Wink said it was taking "immediate steps" to implement two-step authentication. Nest and Amazon, meanwhile, both say they already offer two-step authentication, but users have to proactively turn this feature on.
These extra layers of security are especially important for "critical" technology, Pustovit says, like your email, smart locks or security cameras.
"The camera is a window into your life," he said.
Thousands of private cameras streaming live
And web-connected cameras are opening a window into the lives of thousands of people around the world — sometimes unknowingly.
A website called Insecam, thought to be hosted in Russia, live streams footage from thousands of cameras still using factory-default passwords, often without the knowledge of the cameras' owners.
The site grabbed headlines last year when it was found to be streaming detailed images of students inside a school in Nova Scotia, prompting an investigation from the province's privacy commissioner.
Marketplace found the site is still hosting nearly 300 Canadian feeds, constantly broadcasting seemingly private moments online.
Families could be seen in their kitchens and bedrooms, or relaxing by their swimming pools. One showed small children playing in their backyard.
The website taps into unsecured cameras where the default log-in credentials have not been changed by the user at setup. It further allows users to filter the streams by country, time zone or camera manufacturer.
The Office of the Privacy Commissioner of Canada threatened the website owner with "enforcement action" in 2014 if it continued to show Canadians in private places without their knowledge.
When Marketplace notified the privacy commissioner that the issue is still ongoing, the office said it is "considering next steps" and shifted some of the blame to camera manufacturers, saying they need to "build in privacy protections from the start."
Insecam said it's employees "do their best" to filter out cameras showing private places, and that Canadians can ensure their cameras never make it onto their site by simply setting a password.
'I don't know how you make that right'
Marketplace attempted to locate some of the camera owners to warn them that their privacy was being violated.
Although IP addresses can give an approximate region, for most cameras, it was impossible to pinpoint an exact location. But licence plates spotted on a couple of the streams allowed Marketplace to find the names of the vehicle owners, and track them down to two addresses in Ontario.
When Marketplace knocked on the doors of these homes, those living there were shocked.
"It's quite upsetting and disturbing, I'm not gonna lie," said one homeowner, who didn't want to be identified. "That's the privacy of my home being invaded.... I don't know how you make that right."
Both homeowners had purchased cameras from OOSSXX: a Chinese manufacturer that only sells through Amazon. The systems consist of four or more cameras connected wirelessly to a network video recorder (NVR) that's connected to the internet.
Marketplace purchased its own OOSSXX cameras, and found the username for the NVR is "admin" — with no password attached. This means anyone could find and view OOSSXX cameras where the default log-in details haven't been changed. The user manual also doesn't warn users that their cameras could be accessed by others if they don't set their own password.
Both homeowners said they thought their cameras were password-protected, as you are required to set up a password for the smartphone app. But that password only protects the app, leaving the NVR itself unprotected.
The streams of many other camera brands were also visible on the same website, including companies like Panasonic, Axis and Vivotek.
Panasonic said it recognizes there is a problem with cameras having default credentials. To remedy this, the company now forces users to create secure passwords during installation.
For its part, OOSSXX didn't respond to questions about why it doesn't require mandatory passwords.
That's not good enough for the homeowners located by Marketplace; both pulled the plug on their cameras.
"Obviously, I just want to take it off the internet right away," one said.