The Internet of Things (IoT) has exploded in recent years as user demand for connectivity and remote management have soared, which in turn is boosting the smart home market and making home systems even easier to use and manage. Everything from routers, TVs, speakers, lights, power outlets, major appliances, heating and cooling systems, door locks, security cameras, sensors and more are now connected to the internet, but the majority of these new IoT devices are unmanaged and are poorly secured, security experts say, leaving smart homes vulnerable.
In fact, many IT and cybersecurity professionals–perhaps tongue-in-cheek–refer to the IoT as the Internet of Threats in reference to the inherent security lapses in many IoT-based smart home products, says Mark Houpt, chief information security officer at data center operator DataBank.
“What we’re really looking at with IoT scenarios are devices that are typically unmanaged that could be hacked … and utilized, as bounce devices or used as bots in order to attack other things and appear anonymous,” Houpt says. “So in other words, using an IoT device as a proxy for an actual attack that’s going on.”
Why is the IoT Insecure?
Many devices such as laptops, smartphones and other endpoints come armed with Windows, Google or Mac platforms, and thus come with a variety of security settings that can be changed to make these devices more secure. Why a cybercriminal would want to access those devices makes perfect sense, and the IT and security industries are continually adapting to address those ever-present threats. However, IoT devices are a different story, as they are being added to the network with security as an afterthought.
According to Houpt, many IoT devices are inherently insecure for two key reasons: neglect and the lack of an interface upon which to add security and hardening measures.
“On our microwaves, refrigerators, TVs–there aren’t a lot of options for us to go in there and turn on or turn off or on settings that make the devices more secure,” Houpt says. “You can’t add antivirus software on the TV or refrigerator.”
Essentially, the user is now fully reliant on what the manufacturer has put into their code.
“We don’t think about it, and therefore we don’t demand that we have the opportunity to put settings in place,” Houpt says.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) agrees, saying the rising prominence of the IoT is increasing the consequences of known cyber risks and creating new risks as well.
“Attackers take advantage of this scale to infect large segments of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, attack other computers or devices for malicious intent,” the agency says.
How IoT Devices Can Be Leveraged In Cyberattacks
In fact, there have been several recent examples of what Houpt describes: hacking campaigns leveraging IoT devices to spread malware, including one discovered by cybersecurity firm Palo Alto Networks that is spreading the Mirai botnet via a range of IoT devices, including both residential and business routers, access points, cameras, access control systems and others.
The Mirai botnet is essentially malware designed to infect smart devices running on ARC processors with the goal of turning those devices into a network of remotely controlled bots, per a definition from Cloudflare.
In this case, hackers have the ability to gain complete control over the compromised devices by exploiting vulnerabilities and using them to execute additional attacks, including distributed denial-of-service (DDoS) attacks, according to Palo Alto Networks.
The Mirai malware has been active since at least 2016 and has historically leveraged vulnerabilities in smart home IoT devices due to their relatively weak security compared to enterprise systems.
In its 2022 Digital Defense Report, Microsoft touches on the growing risk of IoT threats, which it says are becoming a favorite of hackers due to the lack of built-in security controls.
According to Microsoft’s report, attacks against remote management devices have increased steadily since June 2021, and web attacks against IoT and operational technology (OT) devices have largely ebbed and flowed over the last year, with a large spike in the September 2021.
In the past year, Microsoft says it observed attacks against common IoT protocols—such as Telnet— drop significantly, in some cases as much as 60 percent. At the same time, botnets were repurposed by cybercrime groups and nation state actors. The report says the persistence of malware, such as Mirai, highlights the modularity of these attacks and the adaptability of existing threats.
Microsoft singles out Mirai, which the company says has been redesigned several times to adapt to different architectures and has evolved to infect a wide range of IoT devices including internet protocol cameras, security cameras, digital video recorders, and routers.
Attackers can then use lateral movement techniques to access other vulnerable devices on the network. Typically, this begins with an edge router, and attackers then look to move laterally to other devices on the same network.
As Palo Alto Networks notes, attackers can carry out a range of other activities in the IoT device, including encrypting the data for a ransom, wiping the data, using the device for cryptocurrency mining, or just bricking the device and rendering it useless.
In another example, Microsoft said last month that a China-based hacking group has been attacking critical infrastructure organizations by proxying its network traffic through compromised small office and home office network devices, to help stay undetected.
“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.
In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.
In fact, there are security vulnerabilities in a range of smart home products, including TVs, security systems, cameras, control systems and more. Integrators, dealers, builders and homeowners can search for security flaws in specific products or vendors in the MITRE database of vulnerabilities.
According to Houpt, while the homeowner may not be the intended target of such an attack, these hacking methods do result in a large volume of traffic going through the residential network and can bring speeds to a crawl. However, manufacturers of IoT devices–in particular smart home devices–are beginning to realize that risk and build in specialized security protections.
“We have seen some defenses be put in place for those,” Houpt says.
How to Secure Smart Homes and IoT Devices
According to Houpt and information from several U.S. agencies, here are several recommendations integrators, builders, property managers and homeowners should take to secure smart home devices and networks against these security threats:
- Segment networks. Just like corporate offices have a separate Wi-Fi network for guests and other devices, smart homes should follow similar practices, especially for remote workers. According to Houpt this can be done with a VLAN, or simply by using a separate network connection and router for home entertainment and work. This can help prevent attackers from moving laterally from smart home devices to corporate devices and vice versa.
- Secure Wi-Fi networks. Where possible, CISA recommends changing the default password and username in Wi-Fi routers and other devices. Logging into the interfaces on routers can also provide additional security options.
- Harden app security settings. In some cases, IoT devices are supported by mobile apps, so these should also be updated routinely. In addition, CISA recommends users check app permissions and use the “rule of least privilege” to delete apps that are no longer needed.
- Update. When vulnerabilities in devices or firmware are discovered, manufacturers typically fix them and issue updates that fix those security flaws. They should be applied as soon as possible to prevent compromise.
- Enable multi-factor authentication (MFA). In any service or app that requires logging in, MFA should be enabled if it is an option. This will ask the user for additional information other than a password to grant them access to the app or service.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!