Researchers Find Smart Devices Ripe For Hacker Attacks
Researchers Find Smart Devices Ripe for Hacker Attacks
Thousands of hacker attacks were launched against a network of smart home devices created by researchers in order to determine the risk the devices pose to consumers.
According to researchers at the NCC Group, Which?, and the Global Cyber Alliance, during the first week the "honeypot" network was online, 1,017 unique scans or hacking attempts were directed at the network's devices, which included smart TVs, printers, wireless security cameras, and Wi-Fi kettles.
The attacks increased in frequency over the next week, reaching 12,807, with 2,435 attempts to log into a device using a weak default username and password.
Although the majority of devices in the "hackable home" environment were able to avoid attacks through basic security measures, the researchers cautioned that this does not mean they will never be compromised.
However, they continued, the most concerning issue they discovered was a connected camera with a weak default password, which allowed a suspected hacker to gain access to the camera stream. The camera lens, on the other hand, was taped over.
"The majority of these attacks are automated," noted Matt Lewis, an analyst with the NCC Group, a UK-based cybersecurity firm.
"They have no idea who they are going after," he said. "They simply know how to gain access to a service and attempt some of the most common weak user name and password combinations."
"The one that stood out to us was user name admin and password admin, which is a fairly standard configuration for a large number of devices," he added.
Malicious Mixed Bag
Lewis noted that the researchers observed a great deal of activity that was probably harmless. "It was from large internet companies that were scanning the web to see what was available," he explained. "There were also hackers searching for vulnerability IP addresses out of curiosity rather than malice."
"However, we did observe some CCTV camera activity that could be traced to a known Russian threat actor," he added.
According to Brad Russell, a vice president at Interpret, a global advisory firm, device data in the smart home space is very different from personally identifiable information.
"It's much more difficult for people to become concerned about a single piece of data from their thermostat, water sensor, or garage door opener," he added.
"And hackers haven't had much incentive to gain access to smart home data," he added. "Their efforts would be better spent installing ransomware and stealing truly valuable data, such as credit card numbers and social security numbers."
That is not to say, however, that smart home devices cannot be used to harm their owners.
"A hacked smart thermostat could act as a gateway to the home network, which could then provide access to personal computers and digital files," explained Adam Wright, an IDC senior research analyst for the smart home.
"A hacked smart camera or baby monitor can facilitate the same malicious activity as a hacked thermostat," he continued, "but the camera can also be used to spy on people or communicate with or harass people in the home."
"Any compromised device connected to the internet can act as a gateway to other compromised devices," added Tom Brennan, chairman of Crest USA, a global not-for-profit cybersecurity accreditation and certification organization.
"It can also be used as an exfiltration point for sound, video, and data to be extracted from a home," he explained.
Hacker Magnets
Ilia Sotnikov, a security strategist and vice president of user experience at Netwrix, an Irvine, Calif.-based maker of visibility and governance platforms, noted that smart home devices attract a variety of types of hackers.
"The most benign attackers are geeky children who are learning about technology through its destruction," he explained. "They would not be motivated by financial gain. They are pranksters who take pleasure in waking someone up in the middle of the night by turning on their smart light bulbs."
"However, they are not entirely harmless and may cause damage or financial loss if they choose to play with devices connected to your digital marketplace accounts," he explained.
"Another type of attacker can be compared to a prowler who patrols a neighborhood looking for unlocked doors," he continued. "In a 'drive-by compromise,' they are seeking financial gain and will take advantage of any opportunity."
"The most heinous attackers are probably child abusers and pedophiles, who hijack cameras and internet-connected toys," he maintained.
"Finally," he added, "for a select number of high-profile targets, smart devices can be just one of the attack vectors adversaries use to gather intelligence and infiltrate their lives."
In many cases, hackers target smart home devices due to the ease with which they can be attacked, Wright noted.
"Many devices are still being shipped from the factory with insufficient security protections, such as access codes for the device being 1234 or 0000," he said.
Consumer Protect Thyself
Wright added that buyers of smart home devices place a premium on security. He cited a 2020 IDC survey finding that 71.4 percent of smart home users were concerned about device and data security in some way.
He noted that respondents' top security concerns included unauthorized device control, identity theft, and the recording of conversations. Consumers were less concerned with their purchasing habits being discovered.
To help consumers protect their smart home devices from hackers, Sotnikov offers the following advice:
• Whenever you purchase a new device, always change the default password or create one if the device is not protected out of the box.
• Conduct a check of other security settings and consider hardening them if necessary. These will vary according to the device type. They include options for turning off a voice assistant's microphone when not in use, disabling access to your address lists, enabling additional protection for online purchases, and enabling additional confirmation or notifications.
• Ensure that the setting to download and install security patches is enabled, if the device manufacturer makes them available. Unpatched vulnerabilities can be the quickest way for hackers to gain access to your system.
• Consider segmenting your home network to prevent someone hacking your smart fridge and lightbulbs from gaining access to your PC and personal or work IT systems.
