Giving gifts to hackers: Don't be security stupid about smart home devices

One of the hardest to find holiday gifts this season? Smart home devices; currently the Amazon Echo smart speaker is back-ordered until mid-January.

Just speak the command, and these hub devices will turn on the lights, the TV, find you music, control the temperature. But with more and more of us putting smart home tech on our holiday wish lists, KHQ sought expert help with the one thing you can't tell these devices to do: protect themselves - and you - from hackers.

For all their convenience, smart home devices have so far proved to be pretty stupid, security-wise. In one of the first-ever tests of smart home security,  the University of Michigan hacked into the top selling Samsung SmartThings home organizing hub, using a fake app that allowed researchers to unlock the front door at will.

But such a security breaches are nothing compared to the chaos we saw in October.  The Direct Denial of Service (DDoS) attack that brought the internet to its knees used everyday devices - cameras, universal remotes, even washing machines and refrigerators - that were hooked to the owner's Wi-Fi.

To help solve your smart home security problems, we teamed up with Stephen Heath, Director of Security Services for Spokane-based Intrinium.

“We do security consulting all over the country, break in see if we can steal the stuff,“ Heath explained. “A lot of these new devices are so ‘smart,’ you can send a tweet from your fridge, I don’t know why you would want to do that but people have built this.

Heath says he doesn't have to test your in-house system to guess the most likely vulnerability: passwords that haven’t been changed from their defaults, when they're used at all.

“People sometimes aren't secure with how they set them up so if you know where to look people will have their home security mapped out with no username and password, so they can take a look with what is going on in some back alley in Detroit somewhere,” Heath said. In fact, with a few clicks of a mouse, our data investigator was able to pull up real-time feeds from  unsecured cameras in Spokane, across the country, and around the world.

Fortunately, there's a quick fix you can do right now.

1. Reset the product back to its factory settings.

2. This ought to wipe any malicious code that has found a home in your devices.

3. THEN change your passwords.

Once you've done that, Heath says keeping your smart home on the safer side of the internet boils down to staying off the bad guys' radar - and there, the solution is also surprisingly simple:

“Turning things off when you’re not using them - if you don’t need to send tweets from your fridge, turn it off: with a webcam, baby monitor, when you’re not using it turn it off.”

Just remember - even the smallest bit of information - like a smart thermometer that shows when the furnace is turned off  - can tell a compu-crook the house may be empty. “Don’t let people spy and find out you’re not home,” Heath said. “And if they do get in, give them less information to be able to deal with.”

Despite the risks, the buying frenzy has really just begun. The typical family is predicted to add up to 500 smart home devices -  from dishwashers to deadbolt locks - by the year 2022.