How One Lightbulb Could Allow Hackers to Burgle Your Home

This holiday season, gift guides are full of “smart home” devices: lightbulbs, plugs, security cameras, thermostats, and doorbells you can control wirelessly from your phone. Analysts anticipate that the popularity of these “Internet of Things” devices is poised to grow over the next couple years, with a projected 20.4 billion devices in use by 2020.

While it may be convenient or even fun to control your home from a smartphone, there are many documented cases of how critical security devices like locks, alarms, and even baby monitors can be hacked. According to a new study by computer scientists at The College of William & Mary, even seemingly benign smart home devices, like smart plugs or lightbulbs, can provide entry points for hackers.

That’s because many smart home devices are controlled using a central app, like Google’s Nest app or Samsung SmartThings. Changing a setting from one smart device might tell that platform to change the behavior of other smart devices. For instance, imagine you’ve programmed your smart lightbulbs to turn on once you arrive home. You may also have other smart devices that are programmed to do something while you’re home versus away; perhaps your smart alarm system is set to be disabled if you’re at home. If a hacker can access your smart lightbulb and toggle its setting to “at home,” they might also be able to control that alarm system, making it possible to disable an alarm to slip into your home undetected, just by messing with your smart bulb settings.

“When you buy a power outlet or lightbulb, you don’t think it could affect your cameras or security alarm system,” Kaushal Kafle, lead researcher on the study, told Quartz. “But when you bring that device into your smart home platform, that allows them to communicate with one another.”

In another paper published earlier this year, researchers at Ben-Gurion University of the Negev in Israel analyzed 16 different Internet of Things devices and found that even security-critical devices like smart cameras or doorbells were not difficult to hack. “Because these devices are mass manufactured, you can buy a specific camera and figure out its weaknesses, then use it against any other person with the same camera,” lead researcher Omer Shwartz, said.

The devices Shwartz tested had passwords in place to access settings, but they weren’t always secure. Shwartz said the easiest device to crack had “1234” as a password, and the most difficult device to crack, a fancy baby monitor, only took them two days to break into. “I think I’m the only person who knows the password, so I’m not going to share it,” Shwartz said, “but it’s concerning that it was so easy.”

Hackable devices also expose owners to another security nightmare: access to your wireless network. Some devices store your wifi password insecurely, and a hacker with access to your smart device’s settings could get your wifi password and monitor your network’s activity. A hacker could theoretically snoop on you entering your credit card info while online shopping, or as you log into your bank accounts.

“While the findings do seem alarming, the issues are not all dire,” Kafle said. “You should not dismiss smart home devices out of hand; they do have their usefulness.” After all, a hacker would need to be fairly motivated to hack any single individual, and the average consumer is likely not a big target. Kafle and his team have taken their findings to manufacturers like Google and Samsung, and have been pleased that the companies are receptive to their suggested fixes.

Both Kafle and Shwartz advise that apps and devices developed by well-known companies could be more secure, if only because these companies have the resources to devote to testing and updating security measures. “Devices by big brand names are also sold at larger quantities, so the chance that flaws will be discovered is higher,” Shwartz points out.

There are devices on the market that allow users to monitor all incoming web traffic to suss out any nefarious actors. Products like Fingbox or Bitdefender‘s Box will alert you if any new devices attempt to access your network, and block potential hackers. But like any other device, they, too could become compromised—and the average consumer may not want to shell out the money or time to set them up.

As the tech community works on improving the security of Internet of Things devices, it’s wise for consumers to be smart about their smart devices. “If you don’t feel safe sharing something with the rest of the world, you should probably not put a smart device on it,” says Shwartz. “There should always be a healthy level of mistrust of these services.”