Surviving in the IoT world

May 2016 Cyber Security

Taking a random selection of the latest Internet-of-Things (IoT) products, Kaspersky Lab researchers have discovered serious threats to the connected home. These include a coffeemaker that exposes the homeowner’s Wi-Fi password, a baby video monitor that can be controlled by a malicious third-party, and a smartphone-controlled home security system that can be fooled with a magnet.

In 2014, Kaspersky Lab’s security expert David Jacoby looked around his living-room and decided to investigate how susceptible the devices he owned were to a cyber-attack. He discovered that almost all of them were vulnerable. Following this, in 2015 a team of Kaspersky Lab antimalware experts repeated the experiment with one difference: while David’s research was concentrated mostly on network-attached servers, routers and Smart TVs, this latest research was focused on the various connected devices available on the smart home market.

The devices selected for the experiment were as follows: a USB-dongle for video streaming, a smartphone-controlled IP camera, a smartphone-controlled coffee maker, and a smartphone-controlled home security system. The investigation discovered that almost all of these devices contained vulnerabilities.

A baby-monitor camera in the experiment allowed a hacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed hackers to collect owner passwords and the experiment showed it was also possible for a hacker on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.

When it comes to app-controlled coffeemakers, it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker examined during the experiment was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s Wi-Fi network.

When looking at a smartphone-controlled home security system, Kaspersky Lab researchers found that the system’s software had just minor issues and was secure enough to resist a cyberattack. Instead, the vulnerability was found in one of the sensors used by the system.

The contact sensor, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. When the door or window is opened the magnetic field disappears, causing the sensor to send alarm messages to the system. However, if the magnetic field remains in place, no alarm will be sent.

During the home security system experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window. This meant they could open and close a window without setting off the alarm. The big problem with this vulnerability is that it is impossible to fix it with a software update; the issue is in the design of the home security system itself. What’s more concerning is that magnetic field sensor-based devices are common types of sensors, used by multiple home security systems on the market.

“Our experiment, reassuringly, has shown that vendors are considering cybersecurity as they develop their IoT devices. Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues – even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners,” said Victor Alyushin, security researcher at Kaspersky Lab.

In order to help users protect their lives and loved ones from the risks of vulnerable smart home IoT devices, Kaspersky Lab experts advise them to follow several simple rules:

1. Before buying any IoT device, search the Internet for news of any vulnerabilities within that device. The IoT is a very hot topic and a lot of researchers are doing a great job of finding security issues in products of this kind: from baby monitors to app-controlled rifles. It is very possible that the device you are going to purchase has already been examined by security researchers and it is possible to find out whether the issues found in the device have been patched.

2. It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best advice here is buy products that have already experienced several software updates.

3. When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. If your home is the place where you store many items of material value, it is probably a good idea to choose a professional alarm system, that can replace or complement your existing app-controlled home alarm system; or set-up the existing system in such a way that any potential vulnerabilities would not affect its operation.

4. When choosing a device that will collect information about your personal life and the lives of your family, like a baby monitor, it may be wise to choose the simplest RF-model on the market, one that is only capable of transmitting an audio signal, without Internet connectivity. If that is not an option, then follow our first advice – choose wisely.

Read the full article: Surviving in the world of IoT: How to Use Smart Devices and Stay Safe from Hackers at https://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/ (short URL: https://goo.gl/27Xh6U).





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Pwn2Own hacking contest to include industrial control systems
October 2019 , Cyber Security
As IT and OT converge under Industry 4.0 and digital transformation initiatives, security gaps are emerging in a range of popular industrial control systems.

Read more...
Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Read more...
Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Read more...
The importance of XDR for cyber protection
October 2019 , Cyber Security, Products
35% of South African organisations are expecting an imminent cyberattack and a further 31% are bracing for it to happen within a year, according to local research conducted by Trend Micro.

Read more...
Enterprise security must change
October 2019 , Cyber Security, Security Services & Risk Management
The recent wave of cyberattacks against local banks has highlighted the importance of protecting data against malicious users.

Read more...
Kaspersky uncovers zero-day in Chrome
October 2019, Kaspersky Lab , News, Cyber Security
Kaspersky’s automated technologies have detected a new exploited vulnerability in the Google Chrome web browser.

Read more...
Cybersecurity for video surveillance systems
September 2019 , Cyber Security, CCTV, Surveillance & Remote Monitoring
Video surveillance systems are increasingly accessible over any IP network, which has led to the rise of potential cyberattack.

Read more...
Cyber-securing your surveillance infrastructure
CCTV Handbook 2019, Genetec, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security
When it comes to cybersecurity, understanding the risks and the solutions as well as engaging in open communication helps everyone.

Read more...
Cybersecure surveillance partnership
CCTV Handbook 2019, Bosch Building Technologies, Genetec , Cyber Security, CCTV, Surveillance & Remote Monitoring
With Bosch and Genetec, you can feel confident that your data is protected by one of the world?s best security solutions, end to end, day after day.

Read more...
Keeping your things to yourself
October 2019, Technews Publishing , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Three experts spoke to Hi-Tech Security Solutions to offer advice on keeping your IoT working for you and not for cyber criminals.

Read more...