Do not throw smart bulbs in the trash, or the danger of IoT

According to GlobalData analysts, the market for IoT solutions last year amounted to about $ 130 billion . By 2023, this figure will almost triple, to $ 318 billion. Annual growth (GAGR) is now about 20%. The volume of connected devices by 2020 will amount to 20-50 billion pieces .

Unfortunately, smart gadgets are poorly protected from hacking. Many of them contain embedded credentials, vulnerabilities that are easily detected and exploited by cybercriminals. Example: the rapid spread of Mirai. And now the attacks are still ongoing, thanks to the fresh incarnation of the malware.

It is estimated that the damage caused to the global economy by botnets amounted to $ 110 billion last year .

A bit about botnets

In addition to Mirai, BetaBot, TrickBot, Panda, Ramnit are now relevant. They are gradually infecting more and more smart devices and are a danger to both business and the state.

Business losses caused by malware can be very large. A botnet is able to completely block the work of services of any company, which will lead to forced downtime. In this case, the losses average $ 100,000 . The company will have to spend even more on eliminating the consequences of hacking.

Also, the malware can attack the network of companies to steal corporate data: usernames and passwords of employees, financial information, technological developments. A botnet can act in different ways, including intercepting keystrokes.

Unfortunately, not only malware is dangerous, but also smart devices themselves.

Smart Gadgets - Why Are They Dangerous?

Smart devices pose a danger to a business or private person even when they are already thrown away and are in a garbage container. Some of them store information about access to local wireless networks and other data. And if earlier hackers hunted for records and drives that employees of various companies throw away, now the hunt for IoT systems may begin.

Smart bulbs

Limited Results specialists studied several popular smart lamp models. The research team acquired a new LIFX light bulb and connected it to a wireless network. Then the light was turned off and disassembled .



After loading the data stored on the light bulb, it turned out that the dump had accesses from the WiFi network to which the device was connected after purchase. Data was stored in clear text. Even the root certificate and the private RSA key were available.

And not only LIFX had problems, data was downloaded from other smart bulbs. Probably, if the researchers analyzed smart cameras, locks, eyes, etc., the situation would be about the same.

Thermostats



Last year, the hacking of a secure (from the point of view of cybersecurity) casino was widely known. Attackers were not able to break into the system "forehead", so they began to look for loopholes. One of them turned out to be a smart thermostat, which was used to thermoregulate a large aquarium installed in a casino. The thermostat was hacked by entering a wireless network. After that, crackers stole a database of players who make big bets, representing a huge interest for other casinos.

Smart cameras

Robert Hannigan, the head of the British intelligence agency GCHQ in 2014-2017, witnessed the hacking of a large bank network. Attackers were able to get into the corporate network through smart cameras, which were easily accessed .

Smart cameras can also include nannies. A few years ago , a case became known.when an attacker began to search for devices connected to the network only to scare children (for example, say something in a scary voice through an external speaker).

Robotic vacuum cleaners Robotic vacuum cleaner

models equipped with cameras can serve as reliable tools for crackers. Such a device allows you not only to access the wireless network of your home or office, but also to snoop and eavesdrop on what is happening.


Last year, it became known about the vulnerabilities of several robotic vacuum cleaners, including Diqee 360 , Xiaomi Mi Robot and other models.

And something else

Hacking affects a large number of other gadgets, their name is Legion. Most often hacked routers, surveillance cameras, components of systems such as "smart home".

In January 2018, information security experts from Ben-Gurion University talked about checking almost two dozen random smart devices - popular gadgets purchased from the manufacturer. As it turned out, the vast majority hack in about half an hour . The easiest way to access the device is to pick up a default password.

What is the problem?

Most often, manufacturers of smart devices simply do not provide any mechanisms to counter attackers. The reason is simple - most companies strive for the minimum cost of the device.

If the company does not constantly release new items, it will go bankrupt. To implement the information security mechanism, money and time are needed - resources that not all developers have.

To shorten the production cycle, companies assemble their devices from ready-made components produced by different manufacturers: processor, camera, wireless communication module, audio chip, etc. But any element can contain a vulnerability that no one knows about. Ideally, an integrated device should be checked for several weeks, exploring possible holes. But in practice, nothing of the kind happens.

From the idea of ​​the device to its implementation, sometimes only a couple of months pass, a comprehensive check in this situation cannot be performed. Of course, there are exceptions, but there are few.

About 90% of smart devices studied by experts were poorly protected . The vulnerabilities of many of them cannot be eliminated, since the manufacturer of the device itself or of one of the components does not release updates. And if it releases, then far from all users are aware of the new product, not to mention a sufficient level of technical knowledge to download and update new firmware.

How to solve a problem?

_{A reliable way to protect against IoT threats.}

There are two possibilities - for manufacturers and for users. As for manufacturers, IoT devices need common standards to unify the industry. Instead of a “zoo” of different solutions, there will be standardized devices of various types, including household and corporate gadgets. Unfortunately, the situation is now so complicated that it is not possible to unify all this in the near foreseeable future. Single attempts are made in the USA and other countries.

Users can only recommend acquiring devices that have been tested by time and other people, don’t buy used gadgets (you never know, the previous owner left a “gift”), study the gadget model on the Internet before buying, to make sure that it does not have a universal password. And the more familiar recommendations are to use complex unique passwords, install updates if available.

In general, the sphere of IoT will not change until lawmakers, developers and users change their attitude towards it. If information security of IoT systems is made one of the priorities, positive changes can be observed in a few weeks.

Do you have a security policy regarding IoT gadgets (personal or corporate)?

Using IoT Gadgets? What precautions do you have?