Thirty minutes. That's the time it took a team of researchers from Ben-Gurion University in Israel to access to security cameras, baby monitors, doorbells, thermostats, and other internet-of-things, not-so-smart devices. It didn't require any special hacking techniques. Anyone can do it.
The only tools you need are at least one finger–a nose will work too–to type the brand and model of whatever device you want to hack, and a connected web browser. Put that information into a Google search box and, within a few minutes, you will find a site or a forum post somewhere describing how to enter into that device using the manufacturer's default administration user name and password. Any pedophile, thief, ex-spouse, or regular Peeping Tom can use this information to gain access to any of these devices installed in your home. A government or criminal organization can also use these user/password combos to control many devices at once, in order to mine data, spy, or launch global internet attacks.
The research was led by Yossi Oren, who is in charge of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. With his colleagues, he analyzed 16 popular high- and low-end IoT devices, using different reverse-engineering techniques that show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to it.
The team added those passwords to the list of codes in a laboratory version of Mirai–a famous botnet malware specifically created to enter and control hundreds of thousands of IoT devices for organized massive attacks. Then they demonstrated how easily you can infect devices of the same model at the same time.