By Kestas Malakauskas
Home automation is the future. Smart thermostats and lighting systems make your home look and feel just right. Smart refrigerator orders food while you enjoy a lazy night in with a selection of movies, picked to fit your mood.
All of that is already a reality or just a few years away.
How to make sure that any unforeseen security risks do not alter this picture?
What’s the picture today?
By 2025, there will be 75.4 billion connected devices worldwide. That seems appropriate knowing that even today a third of Americans live in a household with 3 or more smartphones, according to a survey from Centers for Disease Control and Prevention. And that’s just smartphones, not counting other gadgets that are in every home.
Mostly, here at CUJO we are used to blocking threats on computers, smartphones, and tablets – these are the most common pieces of technology most homes have. As more smart TVs, smart thermostats, digital video recorders, voice control devices and consoles are used in homes, more of them get attacked as well.
What should you remember about smart home security?
Exponential growth of interconnected Internet of Things (IoT) devices at home show that our homes are changing. Families use more gadgets to simplify daily life, enhance productivity or simply to have fun together.
Unfortunately, this trend also opens new risks for home consumers and the whole interconnected ecosystem: most IoT devices lack strong security controls. It widens the attack surface for criminals and hackers who can find much more entry points to home consumer internal network and also use those poorly secured devices for attacks against other service providers.
It’s easy to list at least few of most prominent recent attacks seen which exploited various vulnerabilities across poorly secured IoT device ecosystem.
This piece of malware code used thousands of devices running old versions of Linux. It happened due to the poor cyber hygiene habits – most users do not change the default passwords on IoT devices/routers. In fact, in some cases, you just can’t change those default passwords.
All infected devices were used to initiate a coordinated attack against such service providers as GitHub, Shopify, Netflix, SoundCloud, Twitter and more, taking most of them down for hours. Hackers did it by initiating a DDoS attack against DNS provider Dyn.
This worm code had similar exploitation patterns in that way as it also uses vulnerabilities of default/poor passwords operating within IoT device space. The worm brute-forces IoT devices on the internet.
When hackers gained access, they initiated destruction commands on the gadget making the actual IoT device non-operative. It could have caused a severe damage for companies having full roll-outs of IoT device infrastructure.
Attacks on critical infrastructure
The more frightening trend is a series of attacks on critical infrastructure. We’ve seen cyber attacks targeting programmable logic controllers (PLCs) placed in electricity or uranium enrichment facilities (Stuxnet worm). PLCs are considered smart controllers used within industrial space.
In 2016, hackers targeted heating facilities in Finland. This DDoS attack in the city of Lappeenranta caused heating controllers to fail, which prevented heat to be turned on in the city. That might have caused significant negative consequences for residents and even end up in deaths.
All of the above cases show the dangerous threat landscape consisting of massive IoT vulnerabilities. With such capabilities, attackers and criminals don’t need to bother to infect/target critical infrastructure directly and create a customized piece of malware. Hackers can now quickly launch a DDoS attack to take down public service providers or critical infrastructure.
What can you do?
Want to know a bit more about smart home safety and how to protect all devices?
Listen to an interview with CUJO CTO Leon Kuperman on Robots podcast talking about the critical cyber security practices and how to make your smart home safe: