Whether catching up on exercise, learning a new language or bingeing on Netflix, COVID-19 lockdowns have been different things to different people – but for hackers like Mike Jones, much of that extra time has been spent figuring out how to break into the smart devices flooding people’s homes and home offices.

A one-time military intelligence officer who claims to be one of the original Anonymous hacktivists, Jones spent much of his lockdown exploring the security weaknesses in connected smart-home devices – and what he found, he told a recent Rubrik data-security webinar, was “pretty shocking”.

Early into last year’s lockdown, for example, Jones started experimenting with Google Chromecast – a networked device that plays video on TVs from users’ mobile devices. Yet because Chromecasts connect to the home wireless network, Jones said, they can be identified and tricked into broadcasting any video the attacker wants.

This made for a great prank when he broadcasted old footage of a BBC breaking-news report onto his friend’s television.

“It was very legit and shocked the people that I was with, who thought that it was real,” Jones said, calling Chromecast “one device that is very exploitable”.

Another popular smart-home device, Amazon’s Alexa, proved even more interesting thanks to its ability to be expanded using installable ‘skills’ – such as an application that uses a smart speaker to continually monitor a room for suspicious sounds.

“The reason I bought Alexa was to take a look at its different features, and see what can be done to compromise or destroy a network,” Jones said.

“What I found was pretty shocking.”

Sensing an opportunity, Jones has been writing some new skills of his own – integrating tools like network-scanning app Nmap and Metasploit, an automated tool that probes devices for security vulnerabilities, to develop an automated Alexa hacking tool.

“I’ve come up with different methodologies for attacking Alexa,” he said, for example by compromising group conference calls held through the devices.

“It will be really interesting to watch”.

Caught in the hackable home

Few people would willingly implant a microphone and video camera in their homes, but the veneer of voice control and smart-home automation has nonetheless made voice assistants hugely popular: some 2.8m Australian households had installed the devices by the end of 2020, one recent Telsyte analysis found, up from 2.6m at mid-year as the pandemic progressed.

“During uncertain times, it was technology and communication services that improved home and work life for most Australians,” said Telsyte managing director Foad Fadaghi.

Given hackers’ success in compromising the security built into these platforms – published exploits for Alexa, for example, include the use of a laser light to bypass security, the use of 1-click links, and software vulnerabilities that let Check Point Research specialists take over Alexa devices – their integrity is far from guaranteed.

Indeed, all manner of home technology is proving to be a potential vulnerability: Check Point researchers this month demonstrated how malicious e-books can turn an Amazon Kindle e-book reader into a ‘bot’ or a hop-off point into a company network.

Heralding the types of takeovers that hackers are developing, Jones demonstrated “pretty lethal” Google Android proof-of-concept malware that he wrote to surreptitiously monitor a user’s movements, conversations, and surroundings through the device’s cameras.

Increasing interconnection between devices in the home offers additional vulnerabilities: one attack that Jones demonstrated took advantage of the fact that a petrol station’s surveillance system, alarm system, and point-of-sale system were all connected to the same network.

“You can imagine the craziness that ensued,” he said, as the camera was hacked to pull information from the other systems and overlay it onto the video feed.

“I was able to see exactly what somebody was buying on the screen, along with their credit card number and the total purchase amount. And I was able to set off the alarm, which locked the doors and created a very loud noise.”

The average user’s exposure to such attacks is only likely to increase over time as technophilic Australian homes add even more devices.

The average Australian home had 19.7 connected devices last year, Telsyte said – and this will nearly double, to 35.6 connected devices, just three years from now.

Fully 61 per cent of Australian homes have at least one smart-home product, Telsyte found, with 36 per cent saying they had made changes to their home during the pandemic to make it more comfortable for living.

But that comfort will come at an increasing cost as hackers around the world continue their exploration of connected devices’ vulnerabilities.

Similar work is being conducted at law-enforcement agencies around the world, Jones added, who are routinely creating powerful exploits for surveillance that become major security risks once they are leaked to the public.

“They have some of the brightest minds working on these tools,” Jones said, “and when they get leaked to the public every kid and every [hacker] forum has this tool – which they’re using against us without any kind of repercussions or oversight.”