Stay aware: You can experience an attack from your employee’s vacuum cleaner

Breaking into a computer or phone is not an easy task for even an experienced hacker, so the villains have turned their sight to other devices in recent years. More precisely, billions of them. We are talking about the Internet of Things (IoT) – internet-connected devices that are not usually given much attention to the safety of manufacturers or the people who use them.

Research and consulting giant Gartner estimates that there are currently close to 6 billion IoT devices worldwide. Other research companies provide even higher figures. They include a wide range of devices that can connect to the Internet in one way or another, from baby surveillance cameras, smart lamps, thermometers and other small devices, to voice control assistants, smart vacuum cleaners and TVs.

“Many people do not consider these devices to be computers, although they have all the essential components and, most importantly, can connect to the Internet. This is what attracts hackers: since these devices are unprotected and vulnerable, they can easily be used both by hacking into the home network and in the preparation of large-scale attacks,” says Irmantas Bankauskas, Head of Sales of Baltic Amadeus.

Even the giant companies experience IoT attacks

We could see how powerful and devastating IoT zombie attacks can be many times: from Stuxnet, Silex and Mirai to the latest Dark Nexus, Mukashi, LeetHozer. These networks of infected devices are typically created by scanning the internet and searching for unprotected IoT items that can be accessed using standard, publicly indicated passwords.

With tens or even hundreds of thousands, of such “zombies” being triggered, powerful denial of service (DDoS) attacks are initiated, when a large number of IoT devices simultaneously turn to a specific system. While this attempts to respond to bogus requests for thermometers, cameras and pumps, real users cannot access it. IoT attacks have hurt even giants like Twitter, Reddit, Netflix, Airbnb and others.

“The risk is exacerbated by the fact that there are many types and manufacturers of IoT devices, different operating principles and protocols for each device, encryption methods. If security vulnerabils are discovered on a commercial device, it is difficult to install security updates and the problems remain unresolved. In addition, IoT devices have a larger population of attack vectors, as they often use additional systems, such as a mobile app or online application, which can also be used in attacks,” notes I. Bankauskas..

Breaks into both cameras and thermometers

But DDoS attacks don’t stop – using IoT devices- hackers can break into a corporate or home network and thus access other devices or even internal systems that connect to it.

There were some of such examples. Perhaps the most famous was the case when hackers, connected to the casino aquarium thermometer, managed to drag an internal database with players’ personal data. There have also been repeated reports of violations of baby surveillance cameras that have enabled hackers to monitor or even speak to babies. And here in 2016, the inhabitants of two apartments in the Finnish city of Lapenranta suffered the cold for almost a week, as their thermostats were attacked by hackers.

The expert of Baltic Amadeus highlights that IoT attacks and hacking need not to wait, but to prepare them. “To ensure the security of the company’s devices and systems when people work in the office, it is possible to use a variety of means, from encryption and monitoring of the internal network, to limiting access. However, as a result of quarantine, the removal of workers from home has made this task much more difficult. At the same time, a home network that connects people to internal company systems and sends sensitive data can be used by a dozen other devices that the company’s IT specialists can not monitor or control in any way,” says I. Bankauskas.

There are several solutions. First, use separate Internet access for work purposes, such as mobile Internet. Secondly, ensure communication security through a virtual private network. Thirdly, access to the company’s systems is limited to specific, known installations. Fourthly, to introduce a system that analyses the work of the network and systems to warn of suspicious activity.