As we add more internet-facing devices to our networks — such as smart speakers, baby monitors, smart doorbells, and home alarm systems — we effectively expand the potential attack surface hackers can attack, said Steve Beaty, computer science chair at the Metropolitan State University of Denver. “Maybe they can disarm your security system,” Beaty told WTKR News 3 on Tuesday. After a hacker has broken into and gained control of one device, all other devices on that network could be up for grabs. “Once people have broken into a single device, then typically what they will do is what we call pivot, so they own, if you will, a particular device,” Beaty said. “And now, all of a sudden, they’re inside and most of our devices then trust the networks that they’re on.”
More IoT Devices Means a Wider Attack Surface
According to research firm Canalys, 300 million ‘smart’ speakers will have been installed globally by the end of last year, and that’s just one device. Statista noted that by 2030, there will be close to thirty billion connected IoT devices in total around the world. That figure is double the number of the estimated 15 billion devices out there today. “As the internet of things has grown, and we have more and more and more devices out there, then we have more vulnerabilities,” Beaty said. IoT smart devices can include seemingly innocuous gadgets like thermostats, which can be used as an initial entry point to the rest of an organization’s network. Beaty used the example of a smart fish tank system at a casino that hackers were able to breach in 2017 to steal customer data from the casino’s computer systems. In another example, hackers stole nude footage from South Koreans’ smart home cameras in late 2021 and went on to sell it on the dark web for the equivalent of about five thousand dollars in Bitcoin cryptocurrency. Apart from spying on people, IoT ecosystems can be vulnerable to serious cybercrime. In June 2021, Netlab researchers discovered ‘HEH Botnet’ malware, which brute forces its way onto IoT devices and servers, destroying data and rendering them inoperable. Connected smart devices are not just home appliances, but can span as far as automobiles — though they’re not necessarily categorized as IoT. In June 2022, Trifinite research found that the Near Field Communications (NFC) technology in Tesla vehicles was vulnerable to hacking. Tests carried out in May of that year by an Austria-based Bluetooth specialist found that a Tesla can be stolen using any Bluetooth Low Energy (BLE) device.
How to Secure Your IoT Devices
Beaty said one of the most vital aspects of securing your IoT ecosystem is to change the default password on all of your devices. Using additional factors of verification is also a great way to block out attackers who may have gotten access to your password. With 2FA (two-factor authentication) or MFA (multi-factor authentication) enabled, a hacker would need direct access to your device to input the temporary security code and hijack your IoT devices. Also, older or less popular IoT devices may not have sufficient security features and leave you vulnerable, particularly if they do not receive regular security updates or the manufacturer of the device does not have an excellent reputation. “I would say specifically webcams, including things like baby monitors, newer is better,” he added. Future smart cities will no doubt be replete with connected IoT devices, including numerous sophisticated sensors which, if left unchecked, may present serious privacy and cybersecurity risks for millions of citizens. That is, if, by then, cybersecurity standards on IoT devices and networks have not risen to accommodate comprehensive verification methods that take various threats into account. For this reason, several nations such as the U.S., Australia and the UK have laid out strict security standards for IoT device manufacturers, e.g. the UK’s Security by Design legislation. If you would like to know what risks some of the newer smart devices invite, check out our article on smart thermostat privacy risks.