Skip to main content
  1. Home
  2. Smart Home
  3. Features

The smart home hacking scene in Scream is possible, but you’re probably OK

By
Add as a preferred source on Google

Two elements combined to make this article happen. The first was that October was Cybersecurity Awareness Month. Second, smack-dab in the middle of the month, the first trailer for the new Scream movie dropped. It contained a scene that had us a little concerned. See if you can spot it.

Scream | Official Trailer (2022 Movie)

Obviously, we’re talking about the smart locks scene. All your locks in your home unlock, so you whip out your smartphone and re-lock them, only to see them all unlock again. The implication here is that Mr. Scary Killer person has hacked into their victim’s smart home account and can control all the devices throughout the home. Yikes.

Recommended Videos

As someone who doesn’t carry keys to his house because of all the smart locks, I was getting a little nervous. So I decided to talk to someone about it. I reached out to John Shier, senior security adviser at Sophos Home to talk about it. He gave me some good news and some bad news. I’ll start with the bad news.

Yes, this is possible. The good news is, it’s rather hard to do and the better news is, the chances of this happening to you are infinitesimal unless of course you also have someone who really wants to do you harm. But the honest truth is, there’s a good chance that enough of your data is out there that could make something like this possible.

LOLwut?

There are two things that combine to make this possible: Social engineering and data breaches. Separately, either of these can get an attacker enough information to hack your smart home. Together, it becomes even more possible. But you have to understand, when we say this is possible, we have to quickly caveat it by saying that it’s not very likely.

If you accept the idea of the movie that there’s a lot of planning and premeditation there, then this becomes a lot easier, which is to say it’s more plausible. The fact is, data breaches happen frequently and people often re-use email addresses and passwords for multiple services. Your password exposed from XYZ company (we’re not data-breach shaming here) could well be the same username and password that you use for your smart locks. Even if the password is different, the email address is a key piece of information toward other ways to hack your way in.

Before you ask, no, we’re not turning this into a “hack your way into your friends and family’s homes” tutorial. But suffice it to say that any information about you that has been exposed by one of these data breaches gets a potential wrong-doer a little bit closer to ultimately gaining access to your accounts. That can happen via social engineering or by using data exposed in breaches. Neither of which is trivial. “I think when we talk about IoT security at large, those are probably some of the biggest risks when it comes to having the devices fall out of your control,” Shier explained.

Social engineering relies on trickery which honestly may or may not work. If one decided to go this route, they have to be in a position where they can fool a user into giving up credentials. It was at this point in my conversation with Shier that I learned some surprising ways that one can easily set up a phishing site for that purpose. Again, this is not a tutorial, so I won’t repeat that here, but suffice it to say, sometimes the Internet just sucks.

The other route would involve sifting through millions of sets of credentials and finding a target, which depending on the breach may not be identifiable by name. A target might have the name John Doe, but their email address could be thunderkitty875@genericemail.com and there may be no way to associate those two very incredibly disparate pieces of information.

Hands typing on a laptop keyboard.
EThamPhoto / Getty Images

Sites like haveIbeenpwned.com can let you know if your email address has been a part of a data breach anywhere, but they also have the reverse effect. An attacker could gain the email address of a potential victim and use that site to see what data breaches they have been part of. From there, you can go download the data from the breaches and try the usernames and passwords. That is to say, nothing of an attacker gaining access to a potential victim’s email address and just sending password resets.

“You’re more likely to be monetized than stalked. [Criminals] are more likely to want to get your banking credentials and your personal information [for] identity fraud than for mucking around with your lights and your door locks,” Shier said.

The point of all this is, it’s very possible, and the data is out there to do it, but the likelihood of it happening to a random person by a different random hacker is remote. There’s a lot of work that has to go into breaking into someone’s credentials for their smart home. But it’s far more likely that whatever data is lost during a data breach is going to be used for monetization, whether that’s selling the data or using the data for identity theft.

It’s incredibly unlikely that the end result of a hacker breaking into a company is going to be a scene from a horror movie. But I suppose I have to concede that it’s not zero. I should also mention that identity fraud is itself a scene from a much more nerdy horror movie, but it’s also pretty terrible if it happens to you.

Stay ahead of the game

That being said, there are things you can do to help protect your data and keep your smart home secure. Shier speaks of identity hygiene such as using different email addresses and passwords from every site out there. If your data gets out, the damage will be minimal. Using one of the best password managers is a great idea as is enabling two-factor authentication where possible.

Another thing that Shier points out was to be sure that any default accounts or passwords that might have shipped with your smart home device are removed or changed. Some devices ship with a default “admin/admin” as a username and password, and sometimes users will create their own account without removing the default. Similarly, they’ll create a new password of their own without having removed the built-in password. Hackers can easily find out what those default passwords are and attempt some hackery with that information.

Stick with name brands. Off-brand and/or smaller companies have a tendency to come and go, and may not consider implementing software updates as critical as some of the more known and trustworthy brands. If you have a device that hasn’t been updated in a while, consider reaching out to customer support and find out what’s up with that. Software development is an ongoing process.

Google Nest Hub on top of table.
Image used with permission by copyright holder

Speaking of which, make sure to keep your smart home devices up to date. It’s not a bad idea to check for software updates periodically. Security vulnerabilities can crop up from time to time and more often than not they’re squashed quickly. But that only helps if you actually download and install the update.

So the good news is unless you have made someone really, really mad, you can continue to leave your house keys at home. Let’s be honest, if you’ve made them that mad, a regular deadbolt probably wouldn’t be much help anyway. But that’s not to say you can completely let your guard down. Be sure to regularly check for updates with your smart home technology, use password managers and 2FA, and most importantly, never, ever say, “I’ll be right back.”

Adam Doud
Adam Doud
Former Interim Section Editor
Adam had been writing in the tech space for nearly a decade. When not hosting the Benefit of the Doud podcast, he can be…
Topics
This Google Home update is all about smarter automation
More control, more conditions, more real-world use.
Google Home Nest Automations Featured

Google isn’t just tweaking Google Home this time; instead, it’s quietly turning it into something far more capable. And the focus is clear: give users real control over how their smart homes behave.

What’s new in the Google Home update?

Read more
Bose turns up the volume on home audio with its sleekest and smartest Lifestyle Collection
Bose's newest home audio lineup arrives with bold promises: cinematic sound without the clutter, a decade-overdue soundbar redesign, and a speaker small enough for your bookshelf.
Bost Lifestyle Ultra ecosystem featured image.

Bose has pulled back the curtain on the Lifestyle Collection. It consists of three new premium audio products, built to work individually or as a unified system: Lifestyle Ultra Speaker ($299), Lifestyle Ultra Subwoofer ($899), and Lifestyle Ultra Soundbar ($1,099).  

All the products promise high-fidelity sound wrapped in materials that are aesthetic enough to double as home decor. Pre-orders for the products are already open at Bose’s official website, and availability begins May 15. 

Read more
Your Google Home just got a lot better with the latest April update
Google's most meaningful smart home progress right now is happening in software, and the latest update is the clearest proof yet that Gemini is becoming the backbone of everything Google Home does.
Google Home icon on home screen.

Although Google didn’t make a big announcement out of it, the latest Google Home update is perhaps one of the most significant ones in my recent memory. 

It covers Gemini for home, the camera interface, and the media controls, improvements that might feel incremental individually, but collectively, it points to a future for AI-infused Google Home. 

Read more