Hacking smart devices – the silent threat

(Ghostwritten for Dale Schembri)

Smart devices are becoming commonplace, and not just for personal use. IDC estimates that by 2025, there will be at least 41.6 billion smart devices connected to the Internet and that figure is getting closer every day – reaching more than 10 million in 2021 already. Multiple sources report that 83% of organizations have improved their efficiency by introducing IoT technology.

While your business may not be interested in an electric toothbrush that tells you if you’re brushing long enough, there are tons of other smart devices that you could go for. Some of the examples are smart security cameras for better security monitoring, smart light bulbs to save energy, smart locks to make office entry easier, smart atmosphere controllers and smart air purifiers to improve the work environment, and many more. It’s even possible that you might have some of these devices in your office already – even more likely if you’re working from your home. But are you aware of the security risks associated with these devices?

Your company probably pays a lot of attention to the security of web applications, internal networks and VPN connections, desktop computers and laptops both in the office and used by remote workers, possibly even mobile phones. But it’s quite common that Internet of Things (IoT) devices, such as those listed above, are exempt from any security policies. Unfortunately, they are often the first point of entry for malicious hackers because their manufacturers also often don’t pay much attention to security.

What can happen if your IoT device is hacked?

It is quite probable that your IoT device connects to the Internet via one of your internal networks. And that means that once a malicious hacker gets into that device, they have access to resources, which are normally not exposed to external threats, and therefore less meticulously protected. The attacker may scan your network and try to get into other systems. Some IoT devices, depending on their operating system, may even allow the attacker to introduce ransomware to your internal network.

While the above is the worst-case scenario, there are other annoying consequences of such an attack. Malicious hackers often take over smart devices for two primary purposes: to use them in DDoS attacks and to install cryptocurrency miners. In the first case, your business becomes an unwilling agent in a criminal operation against another business – not the best way to maintain a good reputation. In the second case, you help criminals fund their campaigns – at a small cost of an increased electric bill and lower efficiency of the device.

All in all, having a smart device that is prone to hacking is not a good idea. But how common are attacks against insecure devices? Armin Ziaie Tabari, Xinming Ou, and Anoop Singhal – researchers from the National Institute of Standards and Technology (NIST) and the University of Florida conducted a very complex, three-year study of IoT security and came up with some interesting results.

Luring malicious hackers to fake IoT devices

The researchers came up with an ingenious way to know how often IoT devices are targeted and by what attacks – they used a massive network of honeypots. The term honeypot means a fake system or device that is made to resemble a real one. However, such a fake system or device is placed in a safe environment and if it’s hacked, it can do no harm – but lets researchers observe the hacking process.

In this study, researchers used open-source and commercial honeypot software to create network endpoints, which would look to an attacker just like IoT devices and which were configured to be intentionally insecure. Such honeypots were placed in honeypot server farms, which in turn were placed both on on-premises servers and in AWS/Azure instances in multiple countries. Once these honeypots were up and running, the endpoint addresses were submitted to two search engines that help find IoT devices: Censys and Shodan. The bait was set, now all the researchers needed to do is wait for malicious hackers to find these devices and attempt to hack into them.

The experiment took three years – that’s much more than needed to see a lot of attacks on the honeypots. That amount of time was required for researchers to analyze the data from each wave of attacks and then adjust configurations and defences to see how effective they are in preventing further attacks. This way, the experiment not only provided lots of information on the threat landscape but also showed the efficiency of protection techniques.

The shocking results of the experiment

During the three years of the experiment, fake IoT devices were attacked by malicious hackers 22.6 million times. Over 75% of these attacks were aimed at honeypots that were made to emulate the most common software used for smart devices: Busybox. Fewer attacks targeted honeypots made to resemble typical smart security cameras and those that emulated Windows-based systems.

Attackers used different methods to get into the honeypots, including vulnerabilities unique to devices from specific manufacturers and typical default username/password combinations. Almost a million attacks were attempts to log into the honeypot using the combination: admin and 1234. Fewer attempts were based on combinations such as root with an empty password, admin with an empty password, admin/admin, and similar.

The attacks were meant mostly to make the hacked device part of a DDoS bot network or to install the Mirai cryptocurrency miner. The Windows-based honeypots were also often infected with viruses, trojans, and rootkits. Once the attackers acquired access to the honeypots, they also attempted several types of further attacks aimed at internal networks, including finding other systems connected to the same network and scanning these systems for potentially open ports.

What does this mean for you?

The huge number of attacks on these fake smart devices is the best proof that your smart device is most probably undergoing such attack attempts too. What can you do to protect yourself?

  • First of all, ensure that your smart devices don’t use the default username and password combinations and establish secure, long passwords for administrative access.
  • Second of all, make sure that your IoT devices are connected to isolated networks – ones that don’t let attackers move any further.
  • Third of all, configure your firewalls and web application firewalls to protect your IoT devices as much as possible by locking down ports and typical attack patterns.
  • Fourth of all, if your smart devices enable firmware updates, make such updates part of your general security policy, just as you regularly update your server software for security reasons.
  • Finally, research online whether devices that you use are susceptible to certain types of attacks and if no solution is available from the manufacturer, consider scrapping them and purchasing secure alternatives instead.

At BMIT Technologies, we guide you through the whole process of designing and setting up your secure networks, both at your premises as well as in the cloud or our multiple data centres. Get in touch with us and let’s discuss how best to ensure your business is as secure as possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s