Do not throw smart bulbs in the trash, or danger of IoT

According to analysts GlobalData, the volume of the market for IoT solutions last year amounted to about $ 130 billion . By 2023, this figure will increase almost threefold, to $ 318 billion. The annual growth (GAGR) is now about 20%. The volume of the connected devices by 2020 will be 20-50 billion units .

Unfortunately, smart gadgets are poorly protected from hacking. Many of them contain embedded credentials, vulnerabilities easily detected and exploited by hackers. Example: the rapid spread of Mirai. And now the attacks are still continuing, thanks to the fresh incarnation of the malware.

It is estimated that the damage caused by botnets to the global economy amounted to $ 110 billion last year .
')

Little bit about botnets

In addition to Mirai, now are relevant BetaBot, TrickBot, Panda, Ramnit. They are gradually infecting more and more smart devices and are a danger to both business and the state.

Business losses caused by malicious activity can be very large. A botnet is able to completely block the work of services of any company, which will lead to forced downtime. In this case, losses amount to an average of $ 100,000 . More companies will have to spend on eliminating the effects of hacking.

Also, the malware can attack a network of companies to steal corporate data: usernames and passwords of employees, financial information, technological developments. A botnet can act differently, including intercepting keystrokes.

Unfortunately, not only malicious software is dangerous, but smart devices themselves.

Smart gadgets - why are they dangerous?

Smart devices are a danger to a business or a private individual even when they are already thrown away and are in a dumpster. Some of them store information about access to local wireless networks and other data. And if earlier crackers were hunting for records and drives that employees of different companies emit, then now the hunt for IoT systems may begin.

Smart bulbs

Specialists of the company Limited Results studied several popular models of smart lamps. A team of researchers purchased a new LIFX lightbulb and connected it to a wireless network. Then the light was turned off and disassembled .



After downloading the data stored on the light bulb, it turned out that the dump has access from the WiFi network to which the device was connected after purchase. Data was stored in the clear. Even the root certificate and private RSA key were available.

And not only LIFX problems, data downloaded from other smart bulbs. Probably, if the researchers analyzed smart cameras, locks, eyes, etc., the situation would be about the same.

Thermostats



Last year, the hacking of a protected (in terms of cybersecurity) casino became widely known. The attackers did not manage to hack the system "in the forehead," so they began to look for loopholes . One of them turned out to be a smart thermostat, which served to thermoregulate a large aquarium installed in a casino. Thermostat was hacked by entering the wireless network. After that, hackers stole a database of players who make big bets, representing a huge interest for other casinos.

Smart cameras

Robert Hannigan (Robert Hannigan), the head of the British intelligence agency GCHQ in 2014-2017, witnessed the hacking of a network of a large bank. The attackers were able to get into the corporate network through smart cameras, which were accessed without much difficulty.

By smart cameras can be attributed, and baby monitors. A few years ago , a case became known when an attacker began to search for devices connected to a network only to frighten children (for example, to say something in a terrible voice through an external speaker).

Vacuum cleaning robots

Models of robotic vacuum cleaners equipped with cameras can serve as a reliable hacker tool. Such a device allows you not only to access the wireless network at home or office, but also to pry and eavesdrop on what is happening.


Last year it became known about the vulnerabilities of several vacuum cleaning robots at once, including the Diqee 360 , Xiaomi Mi Robot and other models.

And something else

A large number of other gadgets are subject to hacking, their name is legion. Routers, surveillance cameras, components of “smart home” systems are most often hacked.

In January 2018, information security specialists from Ben-Gurion University talked about checking out nearly two dozen random smart devices — popular gadgets purchased from the manufacturer. As it turned out, the vast majority break in about half an hour . The easiest way to get access to the device is to pick up the default password.

What is the problem?

Most often, manufacturers of smart devices simply do not provide any mechanisms to counter the attackers. The reason is simple - most companies are committed to the minimum cost of the device.

If the company does not constantly release new items, it will go bankrupt. To implement the information protection mechanism, money and time are needed - resources that far from all developers have.

To shorten the production cycle, companies assemble their devices from ready-made components manufactured by different manufacturers: a processor, a camera, a wireless communication module, an audio chip, etc. But any element can contain a vulnerability that nobody knows about. Ideally, a complex device should check for several weeks, examining possible holes. But in practice, nothing of the kind happens.

Sometimes it only takes a couple of months from the idea of ​​the device to its introduction, it is impossible to perform a comprehensive check in this situation. Of course, there are exceptions, but they are few.

About 90% of smart devices studied by experts turned out to be poorly protected . Vulnerabilities of many of them cannot be eliminated, since the manufacturer of the device itself or one of the components does not release updates. And if it releases, not all users know about the new product, not to mention the sufficient level of technical knowledge to download and update the new firmware.

How to solve a problem?

_{Reliable way to protect against IoT threats.}

There are two possibilities - for manufacturers and for users. As for manufacturers, IoT devices require uniform standards that unify the industry. Instead of a “zoo” of different solutions there will be standardized devices of different types, including household and corporate gadgets. Unfortunately, the situation is now so complicated that in the near foreseeable future it is not possible to unify all this. Single attempts are being made in the USA and other countries.

Users can recommend purchasing only time-tested and other people devices, not buying used gadgets (you never know, the previous owner suddenly left a “gift”), study the gadget model on the Internet before buying to make sure that there is no universal password for it. And the more familiar recommendations are to use complex unique passwords, install updates if available.

In general, the scope of IoT will not change until legislators, developers and users change their attitude towards it. If the information security of IoT systems is made a priority, positive changes can be observed in a few weeks.

Do you have a security policy for IoT gadgets (personal or corporate)?

Do you use IoT gadgets? What precautions do you have?