"Use reflection. I'm going to keep [these devices] in my network and not configure them to be remotely accessible," he said. "If you browse for a website [on a computer that is connected to the same network], attackers can use your web browser to send requests to devices in your network, since a lot of htem have web-based configurations. If it's not secure or there's a vulnerability, that's a problem.
"When they exploit it, they would run code that calls back to them; a server they have control of," he added. "And that gives them remote access."
One would think that given the threat that these devices pose for the networks to which they are connected, vendors would release them with included security measures. Unfortunately, it appears they don't come equipped with much beyond a request for credentials.
"[Smart devices] usually have something built in; most devices, whatever admin access they have, will typically be at least password protected," said Heffner. "But there are a couple of problems there. A lot of people don't consider all of the scenarios." What little security measures these devices have are not necessarily mandatory to implement; users could, for example, not even bother setting a password. Heffner added that there are also ways for attackers to bypass the login process at some point in the code before the device checks credentials.
"So even if you have configured a secure password, you're not necessarily safe," he said. "Security is not taken that seriously as it is with things like PCs with Windows."
Irvine added that not only is an ID and password typically the extent of the security measures, they're not even that strong given that passwords often don't even need to be complex.
"It's easy these days to proxy and masquerade as a web device," he said. "You could be a rogue web server, for instance, that these devices would then report to, nullifying the need for a user ID and password."
Even if a user is diligent enough to make the most out of the security measures at hand, there's no way to secure what you don't know is vulnerable, Heffner pointed out.
"If there's a vulnerability in a device, most consumers will never hear about it," he said. "Most vendors will just ignore a vulnerability and never patch it at all. It's hard to protect against unknown vulnerabilities."
With so many vulnerabilities, both in the products themselves and as a result of poor user awareness, Irvine and Heffner seemed concerned about attack rates increasing alongside adoption rates. Irvine seemed particularly concerned with the lack of awareness surrounding the vulnerabilities of smart homes. "I think the security [of these devices] won't improve until there is a major issue," he said. "As the adoption rates increase, so will the attacks. The same thing happened with mobile devices."
Sign up for MIS Asia eNewsletters.