IoT Devices: The Gift that Keeps on Giving… to Hackers

McAfee Advanced Threat Research on Most Hackable Gifts

You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year[1] and, unfortunately, security has sometimes become a casualty of the race among manufacturers to be the first to sell these smart gadgets into millions of homes. This has provided potentially millions of opportunities for hackers to see what devices they can compromise and possible even control. In the past year hackers and security researchers were able to bypass the security of a range of these IoT devices.

Toys

It was discovered early this year the Cayla doll could allow hackers to take control of the toy and record video and audio without the user’s consent. A demonstration by the National Cyber Security Centre in London also shows the doll could be used to unlock smart locks allowing criminals to compromise your home through the front door.[2] The flaw is so serious Germany’s Federal Network Agency required retailers to pull the dolls off shelves, banning them throughout the country.[3] In the United States, the Federal Bureau of Investigations (FBI) also released a public service announcement alerting the public to the potential risk Internet connected toys pose.[4] The defect in the Cayla doll lies in the insecure Bluetooth connection, allowing anyone to listen and converse through the doll using an ordinary mobile phone.

Similar security flaws were recently found in multiple children’s watches being sold across Europe and the UK.[5] Security experts commissioned by the Norwegian Consumer Council found the smart watches could allow outsiders to track the child through the GPS signal, access personal data on the device, disable the emergency SOS function, and remotely listen to the youngster without the knowledge of a parent or guardian. On a positive note, the manufactures behind the watches have responded responsibly and either have or are in the process of correcting the defects.

Cameras

Internet connected cameras and baby monitors have been around for a few years, but manufactures are still shipping insecure devices. A quick search on the IoT search engine Shodan for the word “IPCamera” shows more than 39,000 in total. This year saw multiple stories surface involving hackers able to remotely control cameras, record video and audio, and even speak to children.[6] We often see consumers configure cameras with remote access, but fail to put in place the correct security controls. Failure to change default passwords or use of weak passwords is a common offense among users. In other instances, the manufacturer of the device uses outdated third party software or leaves ports open by default.

*Top Countries – Shodan results for searching “IPCamera.”*HTTP banner of an IoT device on the Internet leaking the default credentials. Digital Assistants

Controlling your smart devices with digital assistants from Apple, Amazon, Google, and others are a neat way to control lights, appliances, and the home’s A/C unit. Researchers from Zheijiang University in China released a report[7] in August showing it’s possible to interact with the assistant using inaudible ultrasound commands. The scientists dubbed their findings the “DolphinAttack” and could issue commands to the device at a very high frequency that is too high for humans to hear but was still understood by a range of assistants, including Siri, Google Now, Cortana, and Alexa. The researchers demonstrated it’s possible for someone to issue a range of commands from a distance without anyone near the device realizing the assistant was being controlled remotely.[8] Although no real-world hacks are known at this time it’s safe to say hackers are well aware of the vulnerability.

Drones

Drones will most certainly be at the top of many a Christmas list this year. The market has exploded and the sale of drones for personal use are expected to be over $2 billion globally in 2017.[9] With that many drones in the sky, and ample evidence that the devices can be hijacked, the security world has taken serious notice.  Security researcher Jonathan Andersson[10] demonstrated how he was able take control of a drone mid-flight, resulting in the owner losing complete control. The flaw lies in the wireless transmission control protocol DSMx, which is used in the communication between radio controllers and many remote-control devices, including drones. The researcher created a hardware device which takes advantage of the DSMx protocol flaw, and allows him to make the hijacked drone perform a range of movements, including stopping, starting, and steering. The good news is the hacking device was not made public, but that won’t stop hackers from attempting to make their own similar gadget to take control of drones from unsuspecting users.

It’s not uncommon for hackers to prey on the latest popular Internet connected devices. Millions of IoT devices will be purchased this holiday season, and consumers will be well-served to do their homework. You don’t need to become an expert, but reading the user’s manual before connecting a device to the Internet is a good practice to make sure the gadget is setup properly. Make sure to also keep the device’s firmware up to date, downloading any manufacturer updates to safely fix any newly discovered vulnerability flaws. If you’re purchasing an IoT device as a gift, make sure to research it first for known vulnerabilities to make sure you don’t get caught giving a gift that could turn out to be security risk. It only takes one hacked device that is connected to your home’s Wifi to allow personal data to be stolen, devices to be hijacked, or your connected gadgets themselves becoming part of a botnet of infected systems that hackers use to launch attacks on other home and business systems.[11]

[1] https://www.cta.tech/News/Press-Releases/2016/January/Record-Year-Ahead-Consumer-Enthusiasm-for-Connect.aspx

[2] http://www.bbc.com/news/av/technology-38966285/how-hackers-could-use-doll-to-open-your-front-door

[3] https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html

[4] https://www.ic3.gov/media/2017/170717.aspx

[5] http://www.dailymail.co.uk/sciencetech/article-4991102/Is-stranger-hacking-child-s-smart-watch.html

[6] http://www.americanow.com/story/society/2017/03/16/parents-warn-others-after-baby-monitor-gets-hacked

[7] https://arxiv.org/pdf/1708.09537.pdf

[8] https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google

[9] https://www.gartner.com/newsroom/id/3602317

[10] https://thehackernews.com/2016/10/how-to-hack-drone.html

[11] https://en.wikipedia.org/wiki/Botnet

Let's block ads! (Why?)



More artcles

Was Bosshard Homelink nach dem Ladenumbau erlebt

Was uns die Weihnachtssaison 2017 über die Retailtrends 2018 lehrt

E-Haut heilt von selbst und ist einfach zu recyceln

Die einflussreichsten PC-Spiele: Teil 5 - Weltraum-Flugsimulationen und Sportspiele

Die einflussreichsten PC-Spiele: Teil 5 - Weltraum-Flugsimulationen und Sportspiele

CES-Neuheiten: Sprechende Spiegel und VR für die Füße

Fare Exchange: Potatoes add heft to Black Bean Soup

NSA surveillance, shale gas, microwave CO2 and more: best of the week's news

The best Argos Black Friday deals 2017

Consumer Wise: Best Black Friday deals



Related links

Presto 01362 6-Quart Stainless Steel Pressure Cooker

$38.00

Presto 01362 6-Quart Stainless Steel Pressure Cooker

MAGIC CHEF 0.9 CU FT 900W DIGITAL STAINLESS STEEL MICROWAVE

$119.72

MAGIC CHEF 0.9 CU FT 900W DIGITAL STAINLESS STEEL MICROWAVE

Oster 1.6 cu. Ft. 1100 Watt Digital Microwave

$170.02

Oster 1.6 cu. Ft. 1100 Watt Digital Microwave

Panasonic NB-G110P Flash Xpress Toaster Oven, Silver

$107.00

Panasonic NB-G110P Flash Xpress Toaster Oven, Silver

Bella BMO07ABTBKB 700W Compact Digital Microwave Oven, 0.7 cu. ft., Black

$60.24

Bella BMO07ABTBKB 700W Compact Digital Microwave Oven, 0.7 cu. ft.,...

BLACK+DECKER Countertop Convection Toaster Oven, Silver, CTO6335S

$59.67

BLACK+DECKER Countertop Convection Toaster Oven, Silver, CTO6335S

Related links

Danby 1.4 cu.ft., Nouveau Wave Microwave Oven, 1200 Watts, Brushed Silver

$109.99

Danby 1.4 cu.ft., Nouveau Wave Microwave Oven, 1200 Watts, Brushed...

LG LMV1762ST 1.7CF Microwave

$111.60

LG LMV1762ST 1.7CF Microwave

Whirlpool WMH31017HS 1.7CF OTR Microwave

$106.95

Whirlpool WMH31017HS 1.7CF OTR Microwave

Magic Chef 0.9 cu. ft. Commercial Microwave in Stainless Steel

$119.99

Magic Chef 0.9 cu. ft. Commercial Microwave in Stainless Steel

Emerson 1100W Microwave Oven Black ~ MW1612B With Manual ~ Not Toaster Unit

$70.00

Emerson 1100W Microwave Oven Black ~ MW1612B With Manual ~ Not...

RCA .7 Cubic ft Stainless Steel Microwave Cooks By Weight & End Cooking Signal

$106.99

RCA .7 Cubic ft Stainless Steel Microwave Cooks By Weight & End...