Billions of smart home devices are expected to go online this week as connected doorbells, security cameras, door locks and streaming boxes such as the Roku and Apple TV are opened as Christmas gifts. The FBI says it poses a security risk for homeowners who are unaware that cyber criminals can access many of those gadgets with a simple web search for usernames and passwords.
A large number of connected devices come with a default username and default password so that the gadget can connect to the internet and be activated. The default login information should be changed once activated.
"If you're not keeping your password safe for your home alarm system, what can I do? I can shut it off?" questions FBI Special Agent Scott Augenbaum.
"When you look at it the only thing you need is a username and password, if the bad guy is able to get that password, the bad guy gets to see what I see," he said.
Default usernames and passwords are easily accessible as manufacturers post them to their help or support page on their website. Generally the default username is 'admin' and password is 'password'. Cyber crooks know this and can search for connected devices and login if the owner hasn't bothered to change the information.
Those cyber-criminals are peeking in on people's homes now through their security cameras and have posted links to live video being captured by those security cameras. They're also able to unlock doors, open garage doors and access the files on computers logged into the network.
Last week Linksys issued a warning to its customers that some of their most popular wifi routers were susceptible to hacks due to a security flaw. The issue was addressed in an update and Linksys is now urging its customers to download and install the update and change their passwords.
Agent Augenbaum told us it's imperative that people pay close attention to usernames and passwords on new devices and when they change them from the default login credentials that they don't use the same password that is used on their Facebook, Gmail, LinkedIn, bank account or credit card account.
"We can't keep taking these devices, take them out of the box, plug them into the network and walk away," he said.