The password is king: IoT devices evolve but still prove vulnerable
Connected smart devices are generally considered to be a very convenient way to make our lives easier. But to what extent are they safe to use from a cybersecurity point of view? In 2015 Kaspersky Lab researchers decided to examine how real the threat behind the Internet of Things (IoT) was. The results were concerning, so 2 years later they conducted more research into the area. Of 8 randomly selected IoT devices – ranging from a smart iron to a smart spy vehicle, half were hackable due to weak password settings. Moreover, only 1 device satisfied the researchers’ requirements and proved to be secure.
IoT devices are basically devices with network connectivity – equipped with embedded technology that allows them to interact with each other or the external environment. Because of the large number and variety of devices available, the IoT has become an attractive target for cybercriminals. This includes, among others, the record-breaking DDoS attacks of 2016 that were launched with the help of a massive botnet made up of routers, IP cameras, printers and other devices. By successfully hacking IoT devices, criminals are able to blackmail people or spy on them. Other vectors can be even more dangerous. For example, your home network devices could be used to perform illegal activities, or a cybercriminal who has gained access to an IoT device could blackmail - and spy on - its owner or extort money from him. The infected device can also simply be broken, though clearly this is by no means the worst thing that can happen.
With this in mind, Kaspersky Lab researchers decided to find out whether reports on smart ‘IoT’ products and the incidents that have occurred have changed the situation. To uncover the answer, they once again analysed several randomly selected smart devices, consisting a smart battery charger, an app-controlled toy car, an app-controlled smart scale, a smart vacuum cleaner, a smart iron, an IP camera, a smart watch, and a smart home hub. The findings were truly worrying: of the 8 examined devices, only 1 satisfied the researchers’ security requirements.
What’s more, half of the devices could be compromised and simply exploited due to lack of vendor vigilance in the password settings. This included having default passwords and an inability to change the password, while in some cases the password was even unified for all devices in the product line.
“At Kaspersky Lab we have been monitoring the issue of smart devices’ cybersecurity for years. We are now seeing that various reports on smart ‘IoT’ products and increasing levels of vendor vigilance have helped to decrease the volume of insecure smart devices. However, the problem is still there and smart devices still can bring harm to their owners, indicating that there is much more work to be done jointly by cybersecurity firms and vendors of connected devices,” notes Oleg Zaitsev, security expert at Kaspersky Lab.
Kaspersky Lab researchers advise users to take the following measures in order to protect themselves from buying vulnerable smart devices:
- Before buying an IoT device, search the Internet for news of any vulnerabilities. The Internet of Things is currently a very hot topic, and many researchers are doing a great job of finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has been already examined by security researchers and it is often possible to find out whether the issues found in the device have been patched or not.
- It is not always a good idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices are more likely to contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already been through several software updates.
- When choosing which part of your life you’re going to make that little bit smarter, consider the security risks. If your home is the place where you store many items of material value, it would probably be a good idea to install a professional alarm system that can replace or complement your existing app-controlled home alarm system; or set-up the existing system in such a way that any potential vulnerabilities will not affect its operation.
To overcome the threats, Kaspersky Lab has released a beta version of its solution for the "smart" home and the Internet of Things – the Kaspersky IoT Scanner. This free application for the Android platform scans the home Wi-Fi network, informing the user about the devices connected to it and their level of security.