The Internet of Things (IoT) is transforming the world around us in a dizzying array of new use cases. The application of smart, connected technologies in healthcare, factories, transport, retail, and other sectors offers businesses the chance to become more efficient, cut costs and offer innovative new services.
But it’s in the smart home where consumers are noticing the biggest impact on their lives.
There’s just one problem: IoT adoption also means increased cyber risk. New Stanford University research reveals that North America has the highest density of home IoT devices anywhere. That’s a broad attack surface to target home workers and hijack their connected devices.
According to the research, which is based on Avast scans of 83 million IoT devices in 16 million homes worldwide, 66% of homes in North America have at least one IoT device, compared to 40% globally. These could be anything from connected fridges to home CCTV and security systems, smart windows, door locks, routers or smart TVs.
While these gadgets are designed to entertain us and make our lives safer and easier, many are riddled with security issues. A major problem highlighted in the paper is the widespread use of the old communications protocols FTP and Telnet, which do not encrypt log-ins in transit.
What’s more, many IoT devices and routers supporting these protocols are never updated from the factory default passwords. “Admin” accounts for 88% of weak FTP passwords and a third (36%) of weak Telnet logins, the research reveals.
The combined result is to make it easy for an attacker to crack or guess them remotely.
But it’s not all about how exposed IoT devices are via their comms protocols and passwords. Many are shot through with software vulnerabilities which could easily be exploited in attacks. Two million IP security cameras, baby monitors, smart doorbells and other gadgets were found earlier this year to contain serious flaws that could enable attackers to hijack them.
IoT devices are especially vulnerable to these attacks because many manufacturers don’t update them frequently enough with security patches. And even if they do, consumers are often unsure how to apply the patches themselves. Vulnerabilities like the one mentioned above are increasingly common as developers share components, including unsecured ones.
Breaking down the cyber-front door
The question is: what can hackers do with these attacks?
- The lack of encrypted protocols and use of factory default/simple-to-guess passwords means hijacking smart home devices can be pretty easy. Some attackers may want to do so in order to commit physical attacks: i.e., monitoring a property via its own CCTV feed and then unlocking a smart door lock to gain entry while the residents are out.
- However, more common is hijacking devices by cracking their passwords and conscripting them into a botnet. With these networks of compromised IoT devices, hackers can launch DDoS attacks against businesses, launch large-scale phishing campaigns, mine for crypto-currency, commit click fraud and more. One infamous DDoS attack powered in this way managed to take out some of the biggest websites on the internet.
- Researchers also warned last year that smart speaker vulnerabilities are likely to be targeted in 2019 via employees’ home networks to access enterprise networks.
- The router is another key target for smart home hackers: it’s the cyber-front door which, if opened, could provide access to key data including passwords to corporate accounts accessed from home.
The good news
Many of these challenges boil down to poorly engineered devices. That’s because many of the manufacturers entering the smart home space don’t have a strong track record in producing IT kit. They may not have any processes in place to find and patch software vulnerabilities, and may not prompt users to change passwords to strong credentials out-of-the-box.
That’s why legislation is making its way through Congress to fix this. The good news is that, although there are over 14,000 IoT manufacturers worldwide, 94% of all IoT devices are manufactured by just 100 vendors, according to Stanford. This will make it easier for lawmakers to put pressure on them, especially with even stronger legislation proposed in the UK and elsewhere.
However, the legislation takes time to pass, and even longer to take effect. That means IT security leaders and home workers must take steps now.
A checklist for success
There’s not much IT leaders can do about the threat from botnet-conscripted IoT devices around the world. But they can at least take steps to educate home workers in the cyber risks associated with IoT gadgets, and draw up a checklist that may help prevent hackers attacking corporate networks via remote employees.
This should include:
- Create strong passwords for all IoT devices
- Switch on two-factor authentication for log-ins if available
- Protect mobile devices with AV
- Only download apps from official app stores
- Regularly check for firmware updates and apply ASAP
- Use WPA2 on home routers for encrypted wifi
- Disable UPnP and any remote management features
- Set up a guest network for all IoT devices to restrict hackers
- Use VPNs for any log-ins to the corporate network