Kathy Gibson is with Kaspersky Lab in Cape Town – Security threats surrounding the Internet of Things (IoT) are growing as quickly as the IoT itself.
IoT may seem like a pipe dream but it is a reality today – and it’s present in many homes, companies, factories and utilities.
Maher Yamout, senior security researcher: Global Research and Analysis Team at Kaspersky Lab, points out that robots are used in many different scenarios.
IoT devices are connected via gateways to the Internet and from there to the servers, databases, storage and applications in the cloud. The user is able to control the IoT devices from his own device that also connects to the cloud.
Within this scenario there are many security vulnerabilities: the IoT sensors, the gateway, and any of the connections – from sensor to gateway; from gateway to Internet and cloud; and from user to cloud.
“Anyone snooping on those channels will be able to intercept that information,” Yamout explains.
The hacker can gain a wealth of value from hacking IoT devices, he adds.
They can be used for bot attacks, for DDoS attacks, for cryptomining or anonymisation proxy. They can also be used to gain credentials like WiFi or network passwords.
Physical attacks are also possible – to unlock smart home doors, unlock smart cards or hijack a stolen device.
New IoT malware grew three-fold in 2018 when 120 000 IoT devices were attacked – more than triple the number attacked in 2017.
“So what could go wrong?” asks Yamout.
Real cases have seen security cameras, webcams, baby monitors, doorbells and digital video recorders exposed. In another instance, a smart scooter network was hacked to play rude messages.
A case where baby monitors were hacked saw criminals threatening parents.
The BrickerBot is a vigilante network that destroys insecure IoT devices.
There are 7-billion IoT devices connected to the Internet worldwide, Yamout points out. The cost of these could run into millions of dollars.
“Another type of future IoT threat lies in drones,” he adds. “There is a boom in drone usage, but there are risks attached.”
A DDoS attack could cause a loss of control and the drone might crash into an object or human; it could be hijacked and stolen; the video feed could be intercepted to breach privacy or for espionage; maritime or aviation disruption is a risk, causing drones to fly near landing spaces or obstructing navigation.
In the future, drones could be held for ransom in a blackdroning attack, where the criminal could threaten to crash the drone into an object or person, or use it to perform a criminal action.
Kaspersky Lab statistics show that 93% of IoT attacks are a result of weak passwords. “So good password hygiene is the best way of safeguarding against IoT attacks,” says Yamout.
Most devices are shipped with standard passwords, which are vulnerable by default, he warns.
Yamout urges users to know the security and operational features of their devices in order to assess the risks.
Users should also assess and minimise the threat surface in their homes.
To demonstrate how easy it is to hack IoT devices, Reuben Paul (also known as the Cyber Ninja), cybersecurity ambassador and child hacker, gave a live demo on taking over a drone.
How a drone works is that the controller gives off a mobile or hotspot signal to connect to the devices.
Paul intercepts this connection to take control of the drone, drive it and get video footage.
Yamout demonstrated that he was connected to the drone, while Paul scanned the room for networks to identify which belonged to the drone.
Having identified it, he then scanned the relevant channel to find the device associated with the connection. Once that was accomplished, he quickly disconnected the drone from the controller and connected to the new controller.
This happened within seconds, and allowed Paul to get a video feed from the drone. He was also able to fly it and could have sent it to a new destination or even crashed it if he chose.