IoT threats: Explosion of ‘smart’ devices filling up homes leads to increasing risks

How many insecure devices or “things” in your home connect to the Internet? How will you protect them all?

The pace that “things” are being connected is blistering.  Cisco projects that beyond smartphones, tablets, and PCs, the average person in North America will have 14 networked devices by 2020. A Western European will have nine.

Personal assistants, such as Amazon Alexa or Google Home, show the explosive growth possible for connected devices. The category barely existed in 2015. By 2018, these devices could be found in nearly a quarter of American homes and 12% for European families.

This massive amount of computing power accumulating in home is proving to be an attractive lure for criminals. 

IoT Threat Landscape: Old Hacks, New Devices, a new report from F-Secure, finds that 2018 may be the turning point. The threats targeting vulnerable IoT devices can no longer be ignored, especially by those consumers count on for internet access.

New devices, same mistakes

In the first half of 2018, both Interpol and the FBI warned consumers that IoT devices—such as routers, cameras and DVRs—need to be secured the way we secure our PCs and mobile devices.

“Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities, or employ brute force attacks on devices with default usernames and passwords,” the FBI said.

IoT threats have been targeting weak passwords for over a decade. Manufacturers have not caught up. In recent years, the leaking of source code for IoT malware ending up online “for research purposes” has helped lead to more advanced threats.

“Weak passwords, known vulnerabilities, updates that rarely or never come. We’ve seen this all before,” said F-Secure Operator Consultant Tom Gaffney. “We’re making the same mistakes we saw in the 90s all over again. Only now, there’s no excuse. We should know better.”

Easy prey—especially routers

More than 8 and 10 home and office routers were vulnerable to hacking, according to a 2018 study by the American Consumer Institute. This included five of the six major brands. It’s entirely possible that a router might have been hacked without the user even knowing it. With a technique called DNS hijacking, hackers can redirect traffic to a phishing website, where consumers may offer up a credit card number or login credentials.

The number of IoT threats observed by F-Secure Labs doubled in 2018, growing from 19 to 38 in the space of a year. But many of these threats still use predictable, known techniques to compromise devices. Threats targeting weak/default credentials, unpatched vulnerabilities, or both, made up 87% of observed threats.

Numerous IoT threats emerged focused on mining cryptocurrencies. Many of these threats were built off the leaked source code of the Mirai malware, which hijacks Linux devices to use the computing power as part of a botnet of zombie machines often to execute denial of service (DDoS) attacks.

IoT or connected devices—does the difference even matter?

Of the attacks observed by F-Secure’s honeypots in 2018, 59%, were attacks targeting Telnet– a trend F-Secure Labs attributes to the spread of Mirai malware. Jarno Niemelä, Principal F-Secure Labs Threat Researcher, has said “the types of new devices that Mirai attacks have no business of being visible to the Internet.”

These unpatched IoT devices are “low-hanging fruit” for criminals. And while their infections are not as obvious as a ransomware attacks, they can suck out system resources to disrupt or slow internet connections.

Larger manufacturers like Amazon have been able to harden their connected home devices effectively—with the help of ethical hackers like our own Mark Barnes, who executed the first hack of an Echo. But there are still countless vulnerable devices in use. In addition, the PC and mobile devices that many people rely upon more than any “smart” appliances often go unsecured.

Secure everything, in and out of the home

“Smart homes” are increasingly become their own ecosystems. The security of one device could potentially affect the reliability of the others.

Despite massive adoption, consumers continually express privacy concerns about connecting more and more of their homes to the Internet. Research shows that more consumers know about the IoT, the more concerns they tend to have.

“In a connected home, your smart TV may connect to your wireless printer. Your game console may start communicating with your smart light bulb,” said Timo Laaksonen, F-Secure’s Head of Operator Business, Americas. “They have no business taking such actions.”

The thought of having a hacked device in your kitchen or bedroom turned into a “wiretap” rightly has users concerned. But the smartphones we carry in our pockets are just as likely to be listening to us as our Echo. Even our “smart” security system could be listening with a microphone we didn’t know it had.

Securing the home increasingly depends increasing on securing all of the devices that go into them — whether they’re in the home or not.