A software update caused the breach, and it was fixed after an hour. But during that time, a handful of Eufy users noticed they had access to other users’ live camera feeds, as well as recorded video. The breach also granted full account access, meaning anyone could pan and tilt strangers’ cameras to get a good look around their homes. This highlights the problems inherent in all smart home gadgets. “As we bring more technology into the home, cyber criminals will increasingly turn their attention to these new systems,” Ben Dynkin, co-founder and CEO of Atlas Cybersecurity, told Lifewire via email. “This increased scrutiny from criminals will inevitably result in an increasing number of attacks, and no law or regulation will be able to stymie it. To solve that problem, we must find new and innovative ways to both secure systems and deter criminal activity.”
Insecure By Design
In a statement provided to Lifewire by Eufy-maker Anker, a software update caused the bug, which affected 712 users and was fixed in under two hours. The underlying problems remain, though. Internet-of-Things devices, as these smart home gadgets are classified, are not designed to be secure. “Currently, IoT devices are often not built with security front-of-mind,” Dan Tyrrell of penetration testing company Cobalt.io told Lifewire via email. The problem is designers and vendors are more interested in features than security. “The IoT market is constantly innovating with new and established companies bringing products and solutions to the market at a break-neck pace,” says Dynkin. “This means that for companies to succeed in the space, they must innovate quickly and try to edge out their competitors, which means, inevitably, that security will be treated as a secondary consideration, rather than a core tenet of the product. This leads to ubiquitous vulnerabilities that can be exploited.” Interestingly, people who connected their Eufy cameras only using Apple’s HomeKit Secure Video were not affected by this breach, which shows that a security-first approach is possible.
Regulation
These breaches won’t stop until security becomes at least as important as features, and that won’t happen until somebody forces smart home vendors to take it seriously. One answer is government regulation, like we have for keeping our food safe, and EU cell phone roaming cheap. Regulation would force minimum standards on vendors, and punish them for breaches. “Regulation is not necessarily the silver bullet in making sure IoT devices are secure,” says Tyrrell. “Instead, we should look at regulation as a step in the right direction. I would caution that being compliant with a regulatory standard is not the same as being secure, but it is better than nothing.” Others are opposed to regulation entirely. Paul Engel, founder of The Constitution Study, sums up this attitude. “The last thing we need is more government interference,” Engel told Lifewire via email. “A few expensive lawsuits and insurance payouts would do more to push these companies to better their security than any legislation could.” In the end, most consumer protections come from government regulation. And given historical trends, it’s likely the European Union moves first on this, but the US already has some laws to build upon. “We could extend the standards laid out in the 2020 Internet of Things Cybersecurity Improvement Act—which currently only covers equipment procured by government agencies—to business and consumer products,” Paul Bischoff, privacy advocate at Comparitech, told Lifewire via email. “That includes remote and automatic firmware and software updates, identity management, and encryption.” Without better security, things are going to get worse.
Protect Yourself
The easiest way to avoid IoT breaches is to not install any smart home devices. But if you absolutely have to have a smart doorbell or security camera, there are precautions you can take. First, consider devices that don’t use the internet. “You could opt for a security camera that stores video on a local device instead of a cloud server,” says Bischoff. “[And] you can route IoT devices through a VPN installed on your Wi-Fi router, which hides your real IP address and location and encrypts data in transit.” In the end, the most important thing is to remember that the security of your devices is your responsibility. “Consumers should practice good cyber hygiene with their IoT devices,” says Tyrrell. “Where possible, change default usernames and passwords. Only connect necessary devices to the internet. Understand that it is your job as the device owner to update patches, and do so regularly. Finally, maintain a separate local network in your home for all IoT devices to reduce the impact of a breach of one of those devices.”