Internet-connected devices can be compromised and ESET presents 5 cases that affected common home devices.
ESET
The world of the Internet of Things (IoT) has grown in the last decade and more and more everyday devices are interconnected with each other, forming this universe. ESET reviews the most emblematic cases of attacks on home devices and shares keys to avoid being a victim.
"Everything that connects to the internet can be hacked, this maxim will not lose validity and, in recent years, there have been cases that give it credence. Attacks were identified that targeted devices that are very present in homes and perhaps most do not know that they can be hacked," says Fabiana Ramirez Cuenca, Computer Security Researcher at ESET Latin America.
Home devices have opened new doors for cybercrime. One of the factors that facilitates them is the fairly widespread use of weak or default passwords that can be easily guessed.
ESET reviews 5 stories in which cybercrime found a new way to perpetrate attacks on home devices, with important consequences:
The endearing spy: in 2017, a harmless teddy bear became the key factor in leaks of private conversations, and even sensitive data of minors.
The company Fisher-Price in the United States launched a revolutionary plush toy that connected to the Internet to send and receive voice messages. With the aim of enhancing communication between parents and children, and growing their bond even at a distance. The problem was that all those messages (family and private) were stored on the servers of the company that never foresaw a computer attack, and that is why it was very easy for the cyberattackers to obtain more than two million voice recordings, and also sensitive data about minors who were registered on the platform.
The bank jumped: this attack refers to the hacking of a Las Vegas casino, through a thermostat of a fish tank that was located in one of its rooms.
This fish tank had sensors connected to a computer in order to regulate temperature, amount of food and even the cleaning of the tank. The malicious actors managed to infiltrate the network thanks to a vulnerability in the smart thermometer of this aquarium located in the lobby, and thus, access the casino's database. In 2017 they broke the bank, obtaining sensitive information, such as names of high rollers of the casino.
Rear Camera: In December 2019, Ring security cameras had a sales boom, not knowing that this would put the privacy of their users at risk. As reported by news sites, a family suffered the hacking of this device that had a weak password configured. Thanks to special software, explains the Vice site, the attackers were able to process usernames, email addresses and passwords in order to log in to the victims' accounts.
The malicious actors were able to access the control of the camera, and thus what should have been a tool to monitor his little daughter's room from a mobile app, ended up being a window to malicious third parties. While there are several cases, it reviews that of a woman in Texas, who was contacted by a voice coming out of the camera, claiming to be from the Ring support team, to report a problem with her camera. To fix it, he had to pay 50 Bitcoins. The issue escalated and the woman later received threats, where the attacker claimed to be very close to her home. The solution on the part of the victim was to turn off the camera and even remove the battery.
A dangerous home army: Mirai was a botnet that was discovered in 2016, and soon became known for carrying out an almost unprecedented DDoS attack. On that day, the Domain Name System service provider Dyn was the victim of a sustained DDoS attack, which had very important consequences, such as outages on sites and services such as Twitter, Airbnb, Reddit, Amazon, SoundCloud, Spotify, Netflix and PayPal, among many others.
A botnet, a combination of the words "robot" and "network", refers to a group of computers infected by malicious code that communicate with each other and are controlled by an attacker, having their resources available to work together and distributed. The Mirai botnet's hallmark was that its "army" of more than 600,000 devices was made up of home routers, video recorders, surveillance cameras, and any other type of smart devices, which were not properly protected, misconfigured, or had weak passwords.
Not everything is going smoothly: although in this case it is highlighted that there were no malicious intentions, but behind it were two ethical hackers who sought to demonstrate how a vulnerability could be the key to entry to take control of a car remotely.
In 2015 when Charlie Miller and Chris Valasek put into practice a hacking technique, which could give them wireless control of the vehicle. As a result, the vents began to send cold air to the maximum, changes were evident in the radio dial, and even the windshield wipers were activated, fogging up the glass. Due to this test, the automaker recalled some 1.4 million vehicles sold in the United States.
ESET, they comment that one of the keys to reducing the risk of this type of hack is to keep devices up to date with their respective updates, since most vulnerabilities are usually fixed in a very short time. They also recommend managing the change of those passwords that come from the factory for a more robust one. That is, it must include capital letters, numbers and special characters; and obviously that it is not being used on another account or device.
"In addition, it is key to configure the devices correctly and securely. This includes disabling those ports and services that are not being used, and avoiding default settings. As we always mention, it is essential to have the second authentication factor enabled on as many devices as possible," adds Ramirez Cuenca of ESET Latin America.