Kidnapping "in house": now a hacker can manage your home and ask for rescue
It is estimated that the number of smart home assistants that will be sold this year will surpass 50 million units worldwide, according to Canalys calculations.
To a large extent, this boom is due to the fact that there are more and more devices such as Google Home and Amazon Echo, with different functions and prices. Even, there are some very economical.
In this way, manufacturers are striving to launch alternatives with their brands to take advantage of the growing popularity of these devices, the most successful within the range of the Internet of Things (IoT).
"By purchasing these products and installing them in our homes, we give their manufacturers and cybercriminals the ability to access all our data through these devices, which in turn, are interconnected with others such as TVs, cars and air conditioners smart ", explained Denise Giusto Bilic, specialist in Computer Security.
"If all the traffic is concentrated in a single team, it becomes more attractive for cybercriminals, since from the home assistant can access the others, so they will be focus of attacks soon," added the expert, in the framework of the Security Forum held in Brazil, organized by the ESET firm, of which IproUP participated.
The equation is simple: the greater the number of connected devices, the greater the number of accesses susceptible to being violated.
"We are already seeing some cases of violations, not in vain, Google releases security patches to fix the ChromeCast device failure that reveals the user's location, and it also transpired that the Echo recorded conversations of a couple and sent them to their contact list", explained the specialist.
Numbers that speak for themselves
"70% of people say that IoT devices are not safe, but 62% would buy them the same," said Cecilia Pastorino, IT Security specialist at ESET.
In 2017, companies spent US $ 964,000 million on these devices globally, while, on the side of the end users, the amount was US $ 725 billion.
It is estimated that, on average, there are six smart devices per household. By 2020, 20,000 million units will be delivered according to forecasts by the Gartner consultancy. This includes lights, video cameras, thermostats, wearable devices (wearables) and smart toys, among others.
Each of these teams with a different firmware (software that controls the device), which complicates the development of an antivirus application common to all.
"What we observed is that traditional malware is now turning to attack smart devices, such as MiraiBotne and Reaper, which do mining and Ransomware of things," says Pastorino.
In this last mode, a cybercriminal could "hijack" an intelligent device (such as home heating) and control it remotely, until the victim pays a ransom, usually in bitcoins or another cryptocurrency.
According to the expert's analysis, "these attacks are often used as a gateway to later perpetuate others."
"For example, a home is well protected but one day they install a video camera and the cybercriminals go in there and then move on to the rest of the network." Recently, there was a theft of data in a casino that was carried out after entering through the Internet. a thermometer that was in an aquarium ", exemplified.
The vulnerabilities of the smart home
Beyond what the device is, all are connected to the network through the Wi-Fi router or its own protocols, which often include manufacturing vulnerabilities because they have not been well tested before being released to the market.
On the other hand, the device can be connected via Bluetooth, which is also a very easy technology to violate. Another option is to enter through the provider's server that provides an Internet connection.
"The attackers first scan the home network to see what devices are in the house and how to access one of them, for that, the malefactor has already entered the domestic WiFi network, something that is not difficult to do," says Pastorino.
Through this procedure, they detect several devices, some of which have information in sight such as public APIs, unencrypted protocols, public files and metadata, among others.
In addition, there are search engines like Shodan that index ports and services that are public, many of which are smart devices.
Once the cybercriminal analyzes the equipment in the home, it can detect if there is an open and easily accessible port. From there, the attacker can make requests to the device to send the information it contains.
In this way, you will be able to know, for example, what firmware it has and what functions it offers. And in a few seconds you can know what kind of smart device is in the home to be harmed.
Google devices are updated automatically, but there is also information that attackers can get. For example, the alarms programmed to know at what time the owners of the home wake up and thus know their daily routines.
You can also obtain information on the technical details of the equipment, notifications and activities programmed by their owners and WiFi networks, among others. In conclusion, it is possible to know, under this analysis, how is the routine of the owner of the house
The cybercriminal can also analyze the source code of the equipment. This is simple, because the device is not needed, since it can be emulated. In this way, it can exploit vulnerabilities, access packet and traffic information, and obtain firmware and server connection links, as well as email and the user's exact location.
"Once the hacker knows this data can interact with the device, for example, turn on and off lights from your cell phone, and also modify alarms, find sensitive information and perform other functions that incorporate smart equipment," says Pastorino.
As these computers come with ports open by default, debugging enabled, users and passwords known, predetermined services that are not used and insecure protocols, the ESET experts recommended, first of all, take the time to investigate which devices are purchased.
"Many times we choose the most economical one, but we have to analyze what models there are and which ones are those of well-known brands, because their software is surely stronger compared to those unknown."
Second, configure the computers before installing them. That is, read the instruction manual and disable the functions that will be used, for example, the camera.
You also have to change the username and password that comes by default. Finally, we must ensure the perimeter of the WiFi network. This demands long keys and router with updated firmware.
Another detail: It is recommended to cover the cameras of the devices with an adhesive tape or similar.
While there is no security solution for smart devices, the latest version of ESET Smart Premium has a function that maps the devices on the network and analyzes them to see if there are threats in the network traffic.