You might have noticed the brouhaha over the since-deleted Samsung tweet advising users to run antivirus scans on their smart TVs—but is such a malware attack possible? Just how many of your smart home gadgets are vulnerable to viruses in the same way that your laptop might be? We called in the experts to find out.
Those experts are Vladislav Iliushin, IoT threat researcher at Avast, and Candid Wueest, principal threat researcher at Symantec, who both specialize in smart home gadget security. They kindly helped us out with our queries about whether speakers, TVs, and Alexa microwaves could get viruses, and the short answer is: Well, it’s complicated.
First it’s perhaps best to talk about a bit of terminology. It’s now been pretty well established that your smart home gear can fall victim to a hack—someone tuning into your security camera feed using its built-in remote access feature.. In this scenario, hackers are basically just taking advantage of a gadget’s existing built-in features.
But a hack is different than a virus infection, in the Windows or macOS sense, where malicious code gets installed on a device and can manipulate what it actually does. That’s more difficult to do with smart home devices and less likely to happen, but it does then give an attacker who deploys the virus the chance to control Internet of Things (IoT) devices for their own ends.
“There are various threats, such as the Mirai worm, that are designed for IoT devices that can compromise many different devices, from routers to connected cameras,” Wueest told Gizmodo via email. “Even Android malware designed to infect smartphones can compromise smart TVs if they run the Android operating system.”
The Mirai worm that came to prominence in 2016 is a classic example of an IoT virus: It exploited default, unchanged security settings on smart home gadgets to build up a botnet that’s then able to crash websites and servers with a distributed denial-of-service (DDoS) attack. DDoS attacks are one of the main reasons hackers might try and load up smart home gadgets with malware.
The second kind of virus attack to know about is a man-in-the-middle (MITM) attack, where a hacker intercepts communications between a device and the web—in this case, the bad actor needs to be either on your wifi network or to be able to trick you into installing a dangerous app.
“The vast majority of IoT devices are simply underpowered computers running Linux, so yes, smart devices can absolutely run malicious payloads built for IoT,” Iliushin told Gizmodo over email. “IoT attackers could even run a man-in-the-middle attack in which they sit on the router, listen to all outgoing traffic, and sniff out sensitive information, like passwords.”
Just before you rush around powering down every smart device in your home, it’s important to note that while viruses can certainly run on these gadgets, the risk isn’t necessarily that high. Attacks like the ones we’ve described generally rely on one of four access methods, which aren’t too difficult to guard against: Malware needs either a poorly secured IoT device, access to your home wifi network, physical access to your IoT devices, or a way to trick you into installing software on your smart home gadgets.
Real threats, but nothing to panic over if you’re using secured devices running up-to-date software, and not allowing strangers into your home or giving them your wifi password. These various attack points for malware vary depending on the type of smart home gadget you’re dealing with.
Threats by gadget
Smart TVs can run apps and access the web, so yes they are vulnerable to viruses—but whether malware writers are actually targeting these televisions, or going to be able to convince you to install something suspicious, is another question. As long as you’re not installing dodgy apps, and the TV software isn’t leaving itself exposed to the web at large, you should be (mostly) safe from those kinds of attacks.
“There have only been a handful of malware infections on smart TVs yet,” says Wueest. “Compared to using a computer, the user does not install that many new application or open emails with suspicious attachments, therefore the attack vector is mainly exposed services reachable from the Internet.”
Smart speakers have so far remained largely untouched by viruses, though that’s not to say it’s impossible. We’ve seen an Alexa Skill that could turn an Amazon Echo into a secret listening device, and a Bluetooth vulnerability that could leave an Echo or Google Home speaker exposed (but which would require a hacker to be in Bluetooth range). Both these exploits have since been patched against, but you can see what’s possible.
“While quite possible in theory, we haven’t seen malware specifically designed to attack smart speakers,” says Iliushin. “Such devices can easily be exploited or tricked into playing audio files, but we have yet to see something more sophisticated.”
Security cameras, as we’ve already mentioned, can be at risk, especially through poorly configured security settings out of the box. According to Symantec, they’re the second-most targeted type of IoT device—15 percent of attacks last year affected security cameras (routers came out on top with 75 percent, which is why you should secure yours).
Once we get down to the level of smart lights or smart plugs, these devices haven’t yet attracted the attention of malware writers, according to our experts. What’s more, they often connect to the web via a smart hub, adding another layer of complexity and another hurdle for any potential virus to overcome.
“More exotic devices, such as smart microwaves or smart kettles, typically face accidental attacks rather than specifically targeted ones,” says Wueest. “Malware threats actively going after these devices are not yet that common. The common cybercriminal wants to make profits from their attack and not just annoy people with turning off their lights.”
Keeping your home safe
Keeping your smart home devices safe from malware isn’t really a question of running antivirus scans on all of them—it’s more about making sure they’re securely configured from the beginning, and that the gateway to your home (your router) is properly locked down against remote attacks. Remember around three-quarters of IoT attacks affect routers, as per Symantec’s data.
Buying devices from well-known, security-conscious manufacturers is a good start. This doesn’t make you invulnerable, of course, but the likes of Amazon and Google know that leaving their smart home devices open to hacking and viruses is very bad PR, and they’re therefore likely to go to great lengths to stop it.
Recent research from Avast and Stanford University found that from a sample of 16 million homes worldwide, 3 percent of those had routers visible to the outside world (i.e. they could be seen without being within wifi range). Half of those had “a known vulnerability or a weak password” and were, therefore, prime candidates for attack—a not inconsequential 240,000 homes.
The trick is in not being one of them. While most modern routers are set to auto-update with new software patches—so you don’t actually have to do anything—it’s definitely worth double-checking. Your router manufacturer or your internet service provider should be able to help out here.
By the same token, regularly check inside the supplied apps for your smart home devices, and apply any available updates you see. Don’t accept default passwords for your devices, and make sure that any passwords you do set are different from those you use on other services.
In the case of smart TV apps and smart speaker skills, only install software from official sources and that comes with positive reviews. Think twice before running sketchy software from a developer you don’t know—or indeed installing sketchy smart home hardware from manufacturers you’ve never heard of.
“Device manufacturers carry the onus of protecting their users by building strong privacy and security postures into the product design in the first place,” says Iliushin. “Our research has found that 90 percent of the world’s devices are made by the same 100 vendors, so those companies should be held responsible for the safety of their customers.”