General security

Why did Infosec hack into a reporter’s smart home system? Because he asked us!

December 13, 2019 by Kristin Zurovitch

One of the benefits of being the leading cybersecurity educator is getting the opportunity to work with the media to help share lessons learned with consumer audiences.

Recently, Infosec was approached by reporter Joshua McNichols, the co-host of KUOW’s  “Primed” podcast. The program broadcasts from the Seattle National Public Radio affiliate and focuses on how Amazon is transforming the American consumer economy and how the company is changing since establishing its headquarters in Seattle.

McNichols had heard recent news stories about bad guys hacking into some family’s personal assistants, such as Alexa, Siri, Google Assistant and Watson. Once in the system, hackers can control any of the connected smart home devices — lights, baby monitors, electrical outlets, music players and cameras.

McNichols spoke to Infosec CEO Jack Koziol to find out how real the threat is and just how easy it is for hackers to gain access to home systems. We know more than 80% of those hacked are tricked by phishing emails, and while this is an old technique, the bad guys still use it with great success.

Wanting to see how it all works, McNichols asked us to demonstrate a hack in a semi-controlled environment — via his home Amazon Alexa. That’s when the fun began.

 Infosec Security Engineer Carmen Bulanda (right) needed only five minutes to hack into Joshua McNichols’ personal assistant app.

We asked Carmon Bulanda, one of Infosec’s security engineers, to send McNichols a phishing email. Even though he knew it was coming, McNichols said it was really convincing and looked like an email from Amazon. After capturing McNichols’ credentials through the phishing email, it took our security engineer only a few minutes to access McNichols’ Amazon account and in no time Bulanda was turning lights off and on, playing music of his choosing and “spying” on McNichols and his daughter as they sat on the couch.

 When McNichols clicked on the fake phishing email from Infosec, our “hacker” could spy on him and his daughter from one of their home devices.

While this was fun and amusing for demonstration purposes, it illustrates the extremely serious point that all of us have online vulnerabilities and we need powerful security awareness skills to stay cyber safe. McNichols explains in his story that Amazon has built a multi-layered defense system against hackers — one of the best in the industry. But consumers are the main source of vulnerability when we click on a phishing email or don’t follow strong password best practices.

Anything hooked up to McNichols’ home system is under the hacker’s control. Here our security engineer is looking at the lights and electrical outlets in the home.

Thanks to Joshua McNichols and KUOW for this informative and entertaining story. It was great working with them and we think you’ll learn something important when you give it a listen. You can enjoy the full Primed podcast and there is also an online account of the story with audio and more photos:

I asked a hacker to spy on me via my Amazon account. It took him 5 minutes to break-in

Infosec can empower your company and employees with education to spot and avoid phishing emails with our award-winning Infosec IQ security awareness training platform. Request a demo of Infosec IQ security awareness and phishing simulation platform to see for yourself


Posted: December 13, 2019
Kristin Zurovitch
View Profile

Director of Corporate Communications, InfoSec Institute