It is recommended the public disable any features that allow camera footage to be remotely viewed over the internet. Photo / 123rf
The GCHQ spy agency has updated its advice to UK consumers on having smart devices in their homes; write Hannah Boland and James Cook.
Last year, a family in Seattle grew alarmed when their 3-year-old daughter informed them that a voice in her bedroom was saying "I love you".
"We were both downstairs working in our office here, and our daughter called out," the child's mother told King 5, a local news channel.
"She's saying, 'Mommy, mommy. The voice is talking to me.'"
The voice wasn't an imaginary friend, but a hacker who had broken into the internet-connected baby monitor in the toddler's room and begun using its speaker to broadcast his own voice.
The incident, and countless other similar hacks, has prompted governments around the world to crack down on cheap smart cameras.
This week, GCHQ released new advice urging Britons to turn off the internet features of smart cameras, which it said had the "potential to be accessed by unauthorised users".
The spy agency's National Cyber Security Centre (NCSC) said while the risk was low, it recommended the public disable any features that allow camera footage to be remotely viewed over the internet - unless they are actively being used.
"Smart technology such as cameras and baby monitors are fantastic innovations with real benefits, but without the right security measures in place they can be vulnerable to cyber attackers," the NCSC's technical director Ian Levy said.
The advice was a sign of growing concern about the vulnerability of "smart devices" - lights, speakers and security cameras connected to the internet. They are now estimated to be in almost two thirds of British homes.
Even with the widespread use of such products, more than 70 per cent of households are said to be concerned about hackers breaking into them.
As many as 50pc said they thought they could never be totally secure.
It is a concern experts say they are right to have. Smart devices can be "easy pickings for hackers", according to Cath Goulding, an ex-GCHQ spy who now works for Nominet, the official UK internet domain name registry.
Keep your devices up to date Of course, "anything can be hacked if enough attention is applied", Goulding says. "Quite often in these cases, you are looking at a perfect storm: mainstream users who don't manage their security effectively and simple-to-execute attacks, such as on devices that haven't been updated in a long time.
"This wouldn't just put those devices at risk, but actually the entire network itself. Once hackers have managed to break into one device, they can "pivot" and gain access to other devices on the same network.
In today's world, many consumers may not be prepared for such an attack - but that is not to say it's too late and that their security is irreversibly compromised. In some cases all it takes is a basic software update.
Newer products on the market typically come with more advanced features pre-installed, including two-factor authentication, which means users can verify they are the ones accessing the system through a separate device, such as a smartphone. This more rigorous security can be made available to older devices through updates.
Change default passwords Another key piece of advice is updating the passwords you use to log into smart devices to make sure that they're strong and unique. Alan Woodward, a professor at the University of Surrey and a former GCHQ consultant, says: "If you bought a smart kettle, would you know how to change the password on it? There's no keyboard, no screen, so people think it must be secure.
"A lot of the time, they're not - and being able to get into the system, through a cloud server, and change the password to gain control of the products is key."
Earlier this year, the British government said it would be drawing up new legislation to ban default passwords in smart devices and bringing it before MPs "as soon as possible".
But, as it stands, many smart home devices have the same passwords, set by manufacturers - and that, worryingly, can often be found on online databases.
"This allows attackers to go to a single database that shows all of the devices found on the internet along with their configuration details, and so people can then log in," says James Hadley, a former GCHQ employee who now runs cybersecurity training business Immersive Labs.
"If I bought a device and then found out it couldn't be secured, so you couldn't change the password, I wouldn't install it in my home."
The NCSC suggests using three different random words put together to form a strong, unique password.
Another suggestion is to cover up devices such as cameras - especially in sensitive spaces such as bedrooms.
If there is no other option, cameras can be blocked up with "a good old fashioned blob of blu-tack", Goulding says. Or devices can be unplugged to save any unwanted attacks.
Have a dumb home The popularity of smart devices may be exploding, but that doesn't mean you need to have them in your home.
"Manufacturers these days seem determined to make their devices smart, so it's actually quite difficult not to buy them," Woodward says.
"I personally do not have a home hub, an Alexa or whatever, in my home."
Woodward adds that he bought a television that doesn't include a camera or microphone.
Anyone looking to buy a smart device now should read reviews, to validate and verify whether a particular device has been accredited, says David Balson, now at RipJar and formerly at GCHQ.
"It's a bit Wild West at the moment," he says. "Most of these devices don't come with security at the forefront of their design.
"Until it becomes the law for manufacturers to have to ramp up security measures for smart home products, consumers have to take it into their own hands, and make sure what they're buying is secure.
"At the moment, it's almost like companies are selling cars without seat-belts or a building is being built without fire escapes," Balson says.