Hackaway day – we hack smart speakers
A while ago, we arranged Hackaway day – a day when we tried to hack things to learn more. This day, we focused on smart speakers. But, what does it really mean to hack something? The answer to that depends on who you ask.
In our case, we look for ways to use a product or a service, that make it possible for unauthorized people to get information or access that they shouldn’t have. During Hackaway day, we did not only test the speakers’ built in security by performing so called penetration tests, but we also looked closer at how users and manufacturers can reduce security risks by using the correct settings. It turned out to be a very informative day, as we found several ways to get both information and access.
The information in the speaker
We started off investigating what information in the speakers that was possible to get hold of via interfaces and applications. We established quite quickly that it is possible to access basically any information in the speaker if you are connected to the same Wi-Fi. Thankfully, speakers do not have a lot of sensitive information, but we also managed to access the Wi-Fi password and a few PIN codes. This might not seem so dramatic, but if this information ends up in the wrong hands, it opens up for further security threats against devices on the same Wi-Fi and if you have used the same PIN code for sensitive services.
The next step was to see if we could get the speakers to restart, and in that way return to its very first start. We call this the “first time” process. If you are able to do this, it is often possible for unauthorized people to take control over the speaker. This is not possible if you need to login on the web interface that often are used for this.
If the speakers are able to use the WPS, you should avoid this since it makes your speaker more vulnerable for attacks by someone that is nearby.
Updates, threats and must do’s
We also looked at the updating process. It is very important that you update your speaker when new updates become available. If the software isn’t updated, the speaker will always become vulnerable sooner or later.
Updates can also be a risk. If an unauthorized person sends a false update to your smart speaker, this person can also control the speaker if you use the update. Through an externally controlled device in your network, it is possible to attack other units in the same network or create a botnet consisting of several speakers that can be used for large attacks (see for example https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/).
As a user you also need to question the user rights that some applications connected to the speaker have. Is it really necessary that the application needs access to text messages, calls, GPS, camera or microphone?
Tips and recommendations
Hackaway day went by fast and we found several things to dig into, but to sum up, I want to share some tips that reduce the risks with smart home speakers:
- Be attentive on the “first time” process so that it is not exploited, use a cable if possible.
- Be aware that people on the same network often can access the Wi-Fi password and other codes.
- Also be aware of that people on the same network often can control your speakers.
- Don’t forget that if you don’t update your device, it is likely that it will contain vulnerabilities after a while.
- Be aware that it should be possible to verify where the update comes from.
- Make sure that you have a good set up for your network, preferably with several separated networks (for example a guest network), good encryption and no default or weak passwords.
- Think about whether you actually need a connected device or not. What are the pros and do they make up for the cons?
- Demand that the products you buy have a signature/encryption, even within internal networks.
- Wired network are harder to listen in to than wireless networks, as it often require physical access to the local network.
- Demand that the applications that you use don’t have unnecessary rights that can be exploited by unauthorized people.