Internet of Threats: How hackers make their way into our homes and how manufacturers can stop them

 

When we think of hacking, the image that usually comes to mind is that of hoodie-wearing masterminds entering the holiest and most secure places on the web: the Pentagon, NASA, financial institutes, Iran’s nuclear program or election results. But all along, the hackers that the industry should be worried about are less interested in the Pentagon and more interested in smart fridges, IP cameras, smart locks and so forth. Also, they probably don’t even wear a hoodie.

It’s time to forget every hacking cliché in the book and learn about the true dangers the smart home devices industry is facing today.

In this post, I  hope to shed light on how vulnerable IoT devices have become. I will also suggest a new approach for end consumer cybersecurity protection that smart-device companies should follow.

If you’re looking to follow the evolution and progress of hacking methods, the first thing you should look at is the advancement of emerging technologies. The rule of thumb is that just like technology, hacking never stops developing and is always on the lookout for the latest trends and tools.

The mobile revolution, for example, opened up a whole new playground for hackers who suddenly had access to devices that end consumers constantly carry with them wherever they go. Data on location, communication channels, voice and camera help talented hackers become much more powerful and dangerous.

As IoT is now becoming a natural part of every aspect of our lives, hackers are about to enter a whole new playground.

During the last CES exhibition in Las Vegas, we invited participants to what we called a Hack Party, where we demonstrated how super easy and tempting it is for hackers to take over popular Smart Home devices that can be found in any home. For security experts who deal with cybersecurity breaches on a daily basis, this comes as no surprise.

It was interesting and alarming to see just how many IoT industry pros from the technology field were genuinely shocked to learn about the level of risks they unknowingly support.

 

The lowest hanging threat

There are a few good (or bad) reasons for hackers to consider home IoT devices an easy target:

  1. Riddle with vulnerability – the majority of IoT devices are usually pretty cheap, oriented at user experience, minimizing, and optimizing resources consumption with little to no attention to security. It is very common that IoT vendors use a mechanism that promotes user experience or cost reduction and inherently creates security gaps and vulnerability. For example, IP camera manufacturers use P2P mechanisms to decrease the cost of the device-cloud communication. However, this mechanism serves as an easy access point for hackers. As smart home device companies are quite naive and do not compensate for vulnerabilities by adding cybersecurity solutions that can overcome these faults, they serve to the hands of the world’s hackers.
  2. End consumers are easy prey. For the public to realize that smart home devices pose risks, proof in the form of multiple unfortunate news is needed. Until then, many users fail to anticipate the security breach in new and seemingly innocent devices. We can all guess why someone would want to break into our banking app, but we probably don’t suspect our connected refrigerator in the same manner. In essence, users have no idea that their home devices are being compromised and might be part of a huge botnet, or that someone is using their credit card information. Also, with IoT, homes are becoming full of devices, but unlike organizations, there isn’t a CISO to take care of the security.
  3. It’s all connected. Once you get a foothold inside the LAN of one device, it’s game over. Hackers target our connected kitchen appliances because they are, well, connected. The road from our fridge to our phone, smart assistant and bank account has become shorter than ever. As we’ve mentioned before, home IoT devices provide access to every corner of our being within seconds.

 

For the hack of it

In addition to being a convenient target, hackers have clear benefits in participating in this game:

  • PR and glory. To be the first to hack a new technology or device is considered a badge of honor in the hacker community. One will earn the questionable admiration of fellow black-hatters, as well as media attention. Many hackers do what they do because they want us to talk about them. They seek attention and want to leave their mark, however negative it may be.
  • Rising to the challenge or rising technologies. Hackers love solving riddles and puzzles. It would be better for everyone had they used their intelligence to advance the world instead of destroying it, but nevertheless, they are driven by the challenge of cracking the code and hacking new technologies.
  • Data-driven. As we’ve mentioned, IoT devices provide access to a lot of crucial information, which allows hackers to commit identity theft and other crimes.
  • Money, money, money. Through IoT devices, hackers can increase their chances to access bank accounts and cryptocurrency wallets, as well as use ransomware for monetary gain. Besides, a huge mass of devices can make a great computing power for crypto mining purposes.

A good example is Mirai botnet which emerged in late 2016 and caused a massive distributed DDoS attack on the DNS provider Dyn,  the operations of Netflix, Visa, Twitter and many others. The Mirai worm exploited one simple thing – the fact that many IoT devices have open ports. As simple as that.

 

Built-in Endpoint protection

In 2016, it was revealed that Facebook CEO Mark Zuckerberg uses tape over his webcam. This proves that no one is safe from hacking, with DIY solutions signifying a need for better endpoint protection than what is currently offered to users. This logic remains very much true when discussing the threat behind IoT technology.

In many cases, device companies wholeheartedly believe that the level of protection they offer users is sufficient and are proven otherwise only after the fact. Today, most IoT device companies embrace security by design, which is a great starting point that should not be neglected. But in order to fully protect end customers, an additional, dynamic, real-time layer is required.

Consumer electronics-oriented companies should take a page out of the industrial IoT manufacturers’ book and step up their security game. Cybersecurity solutions should focus on anticipating and preventing attacks in the first place, and of course, fixing and responding to breaches in real time as they occur, in spite of all the prevention measures that were taken

History has taught us that public sentiment towards new technologies is heavily influenced by how safe they are considered to be, and it only takes a single malicious attack to ruin years of hard work. Just as hackers continue to come up with new ways to break into devices, cybersecurity measures should keep evolving and growing. There’s no rest for the wicked, and there shouldn’t be any for the good guys, either.

A real-time, endpoint cyber security solution that is tailored to smart-home devices must be embraced by every home-IoT devices company. It’s no longer a matter of choice, but a matter of being responsible versus being careless and compromising on the safety of your end-consumer.