At a recent Home Hacker Lab event, an ethical hacker revealed how cybercriminals attack, and what consumers can do to protect themselves.
The October 13 workshop in New York City, presented by HSB and Prescient Solutions, mounted a remote cyber-attack on an Internet-connected model home inside the American Modern Insurance Group claims training facility in Ohio. The event demonstrated in real time how hackers choose their targets, enter a system, and the harm they can do once they infiltrate a home.
Key takeaways for homeowners included:
- Most attacks happen via traditional means, through home Wi-Fi systems, emails and computer browsers.
- Hackers are quickly finding new entry points through smart Internet of Things (IoT) technologies.
- Roughly 80 percent of consumers report using a home network connected to the Internet. One in ten consumers have experienced a cyberattack via their connected home systems.
“Hackers are exploiting common security flaws and using them to breach home networks, computers, IoT and mobile devices,” said Eric Cernak, vice president and cyber practice leader for Munich Re. “Once cyber criminals have access, they can steal personal and financial information, hold computer files for ransom, and hijack anything from webcams and thermostats to smart TVs.”
Jerry Irvine, CIO of Prescient Solutions and member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council, agreed that consumers face a real threat and need to increase safety protections in their home networks and connected devices.
“The good news is that homeowners can take steps to protect themselves from destructive criminal intrusions,” Irvine said. “Understanding what hackers look for and how they premeditate an attack are critical to building up a home defense system. The important thing to remember is that hackers are imperfect and can be disrupted.”
Risk management tips to secure home systems
The Home Hacker Lab also featured a risk management discussion with Cernak and Timothy Zeilman, vice president and counsel for HSB. The discussion included insights about ways to prevent a cyber-attack, the financial costs, and what consumers must do if/when they’re hacked. HSB and Prescient Solutions provided the following risk management tips to secure home systems:
1. Keep systems updated with patched and security updates. Install the most current Windows, OS/iOS, updates/patches and applications. Regularly update firmware on routers and all other devices.
2. Separate social media from financial activity. Use a dedicated device for online banking. Use a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and your financial accounts.
3. Secure the network to which the devices connect. Don’t broadcast your wireless router/network name. Change default usernames/passwords on home routers and smart devices. Activate wireless router encryption, use WPA2, not WEP. Do not connect smart devices directly to the Internet linked to home computers, but rather through a separate IoT firewall.
4. Set up two-factor authentication for all online accounts. Create complex passwords (nothing that can be easily guessed, such as children’s names, birthplace, etc.). Use secondary authentication; this sends a secret code to your phone verifying your identity.
5. Secure your smartphone. Many people still do not use passcodes to lock their smartphones. Don’t be one of them. Almost all IoT devices are controlled by a smartphone app, so phones have become key entry points to homes.
6. Think before purchasing or installing apps on smartphones or tablets. Make sure you read Privacy Policies before downloading. Do not download any apps that prompt you to quickly download, as they may contain malicious code and security flaws designed by hackers.
7. When not using Bluetooth, turn off the feature. Mobile phones, tablets and many new smart items in the home have Bluetooth functionality (smart speakers, set-top boxes, baby monitors, etc.). Such devices have recently been hacked into because their owners left on the Bluetooth option.
8. Purchase only new devices in unopened packaging from reputable retailers. As with any expensive device, there is a black market for counterfeits that have limited security protections. Do not be tempted to buy such devices.
9. Wipe/reset to factory defaults. When replacing connected devices or selling a home, devices should be restored to factory default settings. This will ensure that personal information contained on the devices is removed.
10. Check insurance policies closely. While a typical Homeowners Policy may cover the costs of the resulting damage (theft, spoilage, etc.), they generally do not respond to costs associated with restoring the systems that have been compromised in the attack.