2022/05/04 20:59:40

Internet of Things Information Security

This article focuses on aspects of information security of the Internet of things, including incidents related to this technology.

Content

Legislation
- 2020: UK prepares law to protect IoT devices
Theoretical aspects of IoT IS
Market Assessment
- 2017: Security costs IoT $1.2 billion
Incident History
Security Standardization
- 2019: Russian experts became co-editors of the international standard of the Internet of Things in the field of security
Notes
See also

Legislation

2020: UK prepares law to protect IoT devices

On January 28, 2020, it became known that the UK Government unveiled a bill aimed at protecting IoT devices.

The bill contains three main requirements for manufacturers of smart devices. In particular, all passwords of user IoT devices should be unique and without the ability to reset them to "universal" factory settings; producers must provide a public point of contact so that everyone can report vulnerability and expect "timely action"; manufacturers must clearly specify the minimum period of time that devices will receive security updates at their locations.

Our bill obliges firms that manufacture and sell Internet-connected devices to take into account and suppress the actions of hackers that threaten the privacy and security of people. This will mean that robust safety standards will be implemented during the design phase rather than being used as a backup plan.

reported UK Digital and Broadband Minister Matt Warman

The norm was developed by the Ministry of Culture, Media and Sports of Great Britain after a long period of consultations, which began in May 2019.

According to the UK government, the bill is planned to be adopted "as soon as possible^[1].

Theoretical aspects of IoT IS

A safe IoT ecosystem does not exist

Experts insist that service providers and market devices IoT violate the principle of end-to-end information security (IS), which is recommended for all ICT products and services. According to this principle, the IB should be laid at the initial stage of product or service design and maintained until the end of their life cycle.

But what do we have in practice? Here, for example, some data from HP Corporation (summer 2014), the purpose of which was not to identify any specific unsafe Internet devices and catch their manufacturers, but to outline the problem of IB risks in the world as a whole IoT.

HPE researchers draw attention to problems both on the side of device owners and on problems that developers should think about. So, at the very beginning of operation, the user must definitely replace the factory password set by default with his personal one, since the factory passwords are the same on all devices and do not differ in durability. Unfortunately, not everyone does this. Since not all devices have built-in IB protection, owners should also take care to install external protection intended for home use so that Internet devices do not become open gateways in the home network or direct tools for causing damage.

A study conducted by HP found that approximately 70% of the analyzed devices do not encrypt wireless traffic. HP experts considered the web interface 60% of devices unsafe due to unsafe access organization and high risks of intersite scripting. Most devices have low-resistance passwords. Approximately 90% of devices collect some personal information about the owner without his knowledge.

In total, HP experts counted about 25 different vulnerabilities in each of the devices studied (televisions, door locks, household scales, home security systems, electrical sockets...) and their mobile and cloud components.

The conclusion of HP experts is disappointing: a safe IoT ecosystem does not exist today. A particular danger of things on the Internet lies in the context of the spread of targeted attacks (APT). It is only worth attackers to show interest in any of us, and our faithful assistants from the world IoT turn into traitors who open up access to the world of their owners.

Weaknesses IoT

Switch to IPv6.
Power supply of sensors.
Standardization of architecture and protocols, device certification.
Information security.

Standard Manufacturer Accounts, Poor Authentication
lack of manufacturer support to address vulnerabilities
It is difficult or impossible to update the software and OS
use of text protocols and unnecessary open ports
using the weakness of one gadget, it is easy for a hacker to get into the entire network
Using unprotected mobile technologies
Using unprotected cloud infrastructure
using unsafe software

How Safe Are Smart Homes of the Future

Below Panda collected several ideas about ways thanks to which hackers could get unprecedented access to your everyday life through complex devices which are located at you ^[2]

Ransom for coming home?

Since the Internet of Things continues to integrate seemingly meaningless and unrelated objects, a full-fledged home operating system looks quite likely. Although this will transform your home into an optimized living space, fully designed to provide your comfort, it can also carry you serious risks of being the victim of a cyber attack in your own home.

The central link of any security system of the smart home of the future is its lock.

By the way, a recent study showed that smart locks are frighteningly easy to crack, as a result of which they cannot guarantee the fulfillment of their main function, for which, in fact, they exist.

Existing systems are simple enough for cyber hackers and are not an obstacle to entering your home.

And we decided to think further: what if hackers in the future can use this technological achievement against you? If a smart lock can be hacked to open it, perhaps hackers will find a way to completely close it so that you can't open it.

In this case, in the future it will be possible to quietly penetrate into someone else's house: the hacker will be able to control all events remotely. Moreover, he will be able to request some reasonable ransom from his victims so that they can get into their own homes.

By the way, this may be an idea for the script of some terrible film (All alone at home), but this is a terrible thought. If all your security devices are interconnected, then cyber criminals could potentially also access your home alarms and even keys from your car.

Smoke screen - fire alarm

One security feature that is already built into some available smoke detectors on the market is the ability to allow the smart home to receive information (and use it in future work) from other smart devices, which allows the system to respond appropriately in case of danger. This feature is implemented for user safety, allowing a home system that detected a fire, for example, to unlock all doors in the house to help get out of it as quickly as possible.

This is a great example of how manufacturers of IoT solutions are working on transparent integration and interaction of smart devices inside a smart home. However, there is one caveat: if this technology is used by cyber criminals, then there is a possibility of creating an undesirable chain reaction, which ultimately can, on the contrary, reduce the level of security of a smart home.

Another way that a hacker could potentially harm from afar is to create a false fire alarm that is sent to the fire services. A chaotic scene can look like a smoke screen, which can also eventually make you easy prey for other potentially malicious cyber attacks.

Death vacuum cleaner

This is probably one of our "Wilder" ideas, but if we remember the furore that the self-detonating smartphone made on everyone, we will not be surprised that IoT devices increasingly put us in a position that gives hackers access to potentially explosive devices!

Can I use IoT devices for cyber attacks? Easy.

Attackers, as a rule, work for the masses: for example, distributed attacks on denial of service (DDOS), when thousands of emails or requests are sent to some server to slow it down or disable it altogether.

In this case, in the future, we may encounter situations when hackers try to "litter" as many cars as possible in the hope that some of them will work incorrectly, which will lead to serious consequences. Actually, a frightening prospect. Perhaps this is why government agencies are talking about the potential dangers of the Internet of Things associated with cyber attacks.

Beware of the refrigerator

Remember the episode in The Simpsons, when Marge attacks a home operating system with artificial intelligence, voiced by Pierce Brosnan, who prepares food, but secretly plans to "get rid" of the rest of the family? Yes, of course, this is a funny parody, but it is embarrassing that we will need only a few technological advances, so that these events will no longer be funny, but turn out to be terrible reality.

Well, let's say that your refrigerator has not yet conducted intellectual conversations with you, and even more so, does not work out any murderous schemes regarding your family. However, two years ago, the CIA noted a threat from smart refrigerators in smart homes. Why would that?

The CIA erupted from the fact that the refrigerator was used as part of the botnet to carry out a DDOS attack. And all this happened completely unnoticed for the owner of this refrigerator, who even had no idea that his smart device could perform any diabolical actions, except to cool and save food.

What's next?

Since smart devices are becoming smarter, tracking your purchasing preferences and making home orders, could a hacker access your bank data or interfere with your purchases? We all know that artificial intelligence and refrigerators are better left as a creepy vision in cartoons, rather than horror in real life!

Hacker Protection IoT Device Certification

On October 11, 2016, it became known about the plans of the European Commission - to introduce mandatory certification or another similar procedure for all devices connected to the Internet of Things. It is planned to take measures at the state level, which should prevent hackers from using the Internet of Things to create botnets.

As an option, the installation of special unified chips on network devices that will protect them from hacker attacks is not excluded. These measures, according to European Commission officials, should increase the level of trust in the Internet of things in society and prevent hackers from creating botnets from plug-in equipment^[3].

After the DDoS attack on Krebs, the industry is shocked by its size, depth and complexity, (2016)

Measures to protect the Internet of Things from hackers should be taken precisely at the state level, since not only the devices themselves need control, but also the networks to which they are connected, as well as cloud storage. The certification scheme for the Internet of Things is comparable to the European system for marking energy-consuming goods, adopted in 1992. Marking is mandatory for cars, household appliances and electric lamps. But equipment manufacturers consider the system of such marking ineffective to protect against hackers. Instead, they would prefer to install a standard chip in the devices, which will be responsible for the security of the Internet connection.

The group of devices connected to the Internet includes video cameras, televisions, printers, refrigerators and other equipment. Most of these devices are poorly protected from hacker attacks. These devices themselves may not be of interest to criminals. However, hackers hack them to use as robots to create botnets through which more serious systems can be attacked. Most owners of hacked devices do not even suspect how their equipment is used.

An example is the large-scale DDoS attack on the Internet resource Krebs On Security, in September 2016.

The intensity of requests from the botnet during the attack reached 700 Gb/s. The botnet includes more than 1 million cameras, video recorders and other devices connected to the Internet of Things. This is not the first resonant case when such devices become part of the botnet, but for the first time the network consisted almost entirely of such devices.

Brian Krebs, resource owner

According to Gartner, about 6 billion devices are connected to the Internet of Things, and by 2020 their number will reach 20 billion, which will create greater opportunities for hackers to conduct large-scale attacks using botnets.

How to Secure 5G and Industry 4.0 IoT Devices

Internet things are IoT actively spreading around the world and are on the verge of a surge in development. Several factors contribute to this: networks, 5G or Industry 4.0 the Fourth Industrial Revolution, growing micro processor computing capabilities., Smart home the business and industrial segment of IoT devices have similar implementation problems - the lack of uniform standards, including documentation standards, qualitative descriptions of protocols and connections and the corresponding high cost of analyzing the level of actual security, lack of standards for protection functions and, as a rule, lack of microarray resources for the qualitative implementation of these functions (,, enciphering etc authentication.). Read about what risks of implementing IoT devices should be taken into account and how to protect such solutions in the material prepared by an expert in the field of IB. Anna Mikhailova

Market Assessment

2017: Security costs IoT $1.2 billion

On March 21, 2018, the analytical company Gartner announced the results of a study of the global information security market in the field of the Internet of Things. The costs of companies to provide cyber protection of IoT systems in 2017 reached $1.17 billion, an increase of 29% compared to the previous year, when costs were measured at $912 million.

Most of the market under consideration was for professional services, which in 2017 were rendered in the amount of $734 million against $570 million a year earlier. In the security segments of internetwork devices and user equipment, investments of $138 and $302 million were recorded, respectively. In 2016, these indicators were measured at $240 and $102 million.

IoT Security Costs, Gartner Data

The study notes that cyber attacks on the Internet of Things have become a reality. Between 2015 and 2018, about 20% of organizations surveyed by Gartner encountered them.

According to Gartner analyst Ruggero Contu, deploying the Internet of Things, companies most often do not pay attention to the sources of procurement of equipment and software, as well as their features.

It is predicted that even before 2020, Internet of Things security will not be a priority for business. In addition, the introduction of best IBs and tools in IoT planning will be ignored. Due to these two constraints, the market for IoT IoT solutions will lose 80% of potential revenue.

The main driver of the growth of the market under consideration, experts call the demand for tools and services that improve threat detection and asset management, assessment of equipment and software security, as well as testing to protect IoT systems from unauthorized access. Thanks to these factors, the cost of information security of the Internet of Things will increase to $3.1 billion in 2021, Gartner predicts.^[4]

Incident History

2022

Uncorrected DNS vulnerability endangers millions of IoT devices

On May 3, 2022, it became known that an uncorrected DNS vulnerability endangers millions of IoT devices.

The vulnerability affects the implementation of domain the name system (DNS) in two popular libraries on. C language

The problem was first reported in September 2021. Vulnerability affects creation of a system of domain names (DNS) in the uClibc and uClibc-ng libraries in language C used for development built in by Linux systems. uClibc well known for large companies, the library is used by Linksys, Netgear and Axis, as well as Linux distributions.

The vulnerability is caused by the predictability of transaction identifiers within DNS queries generated by the library., said Giannis Tsarayas and Andrea Palanca of Nozomi Networks. - The flaw may allow attackers to use DNS spoofing against the selected device.

DNS cache poisoning or DNS spoofing is a technique of corrupting the cache of DNS resolvers in order to redirect the user to malicious websites.

Using the error allows you to conduct human-in-the-middle (MITM) attacks and damage the DNS cache, effectively redirecting Internet traffic to the server controlled by the attacker.

Nozomi Networks warned of the possibility of exploiting a vulnerability against operating systems configured to use a fixed or predictable source port.

By exploiting a vulnerability, a hacker can manage information transmitted by users and carry out other attacks on infected devices, experts said^[5].

Mirai-based Enembot IoT botnet gains momentum

On April 14, 2022, it became known that the specialists of the Fortinet IB company discovered a botnet based on the source code Mirai, called Enembot. The botnet is gaining momentum by infecting modems, routers, and IoT devices through known vulnerabilities. More details here.

2020

Check Point study shows how networks can be hacked with a light bulb

On February 6, 2020, Check Point Software Technologies reported vulnerabilities that could allow a hacker to deliver ransomware or other malware to office and home networks by capturing smart bulbs and their controller. More details here.

Data from 515 thousand servers, home routers and IoT devices are in the public domain

The cybercrime posted in open access lists of accounts data Telnet for more than 515 thousand, servers home routers and IoT devices. This became known on January 20, 2020. More. here

Sexual extortion through smart cameras

In mid-January 2020, researchers sounded the alarm over a wave of new fraud - sexual extortion amid panic over the safety of smart cameras.

Concerns about the cameras connected to the Internet, combined with simple e-mail, make it possible to deceive the unsuspecting victim. A wave of a new version of the old scam swept through the network - criminals are trying to convince the victim that they have incriminating information that they will release if they do not pay the ransom. Now fraudsters claim to have received sexual recordings from smart security cameras, and threaten to upload them to the public network or send them to the victim's friends.

Researchers sounded the alarm over a wave of new type of fraud - sexual extortion amid panic about the safety of smart cameras

Researchers from Mimecast recorded a huge surge in a new type of fraud: in just two days from January 2 to 3, more than 1,600 fraudulent letters were intercepted. The attackers write that they have several compromising photos or videos and give a link to a website that displays ordinary footage from surveillance cameras in a common area, for example, in a bar or restaurant - a place that anyone could visit last week. These shots should convince the victim that his or her compromising actions were recorded using security cameras or a smartphone.

Imagine everything you have done over the past year, and imagine what we saw as you do, "the attackers wrote. - Videos with you have already been uploaded to several porn sites and you only have one week before they become available for viewing.

In fact, such a video does not exist, and fraudsters simply throw a fishing rod, hoping that the victim is pecking at the bait. This is a very cheap and incredibly effective method of fraud. In 2018, the total number of complaints of extortion by e-mail increased by 242%, and experts warn users not to respond to threats and immediately contact the police.^[6]

2019

75% of attacks on IoT devices are in the US

In 2020, attacks on objects of the Internet of Things (IoT) will increase significantly. This became known on December 17, 2019. Such projections are provided by the National Computer Incident Coordination Centre (NCCC). In 2020, objects of the credit and financial sphere will traditionally be most dangerous, since attackers will follow the desire to earn money.

This was announced by the deputy director of the National Coordination Center for Computer Incidents Nikolai Murashov.

The deputy head of the NCCI explained this forecast by the fact that as of December 2019 there are already about 5 billion IoT devices in the world, and in the next few years this figure will grow 10 times. At the same time, he says, equipment manufacturers are in a hurry to launch their products on the market, thinking little about safety. This, Nikolai Murashov warned, creates the greatest threats in the field of cybersecurity in 2020.

As Nikolai Murashov said, since 2015, the trend of using DDoS attacks using botnets of the Internet of things has continued. Such devices include, for example, home routers, webcams, smart home devices, health controls, etc. Such devices are often hacked, captured in the botnet and used to attack other objects, including CII objects, he cites an example. Nikolai Murashov warns that the totality of such attacks using botnets can be so large that it can lead to disruption of the Internet network in the whole region.

For to data McAfee the first quarter of 2019, USA it accounts for 75% of attacks on Internet of Things devices China , for and - Germany 4%, and for and - Brazil Italy 3%. According to the study (USA), Lumen Technologies (formerly CenturyLink) botnet management centers are most often controlled by groups located in the USA, Russia China, and IoT Netherlands To Mexico^[7]

FBI: each IoT device requires a separate network

In early December 2019 FBI , he recommended that users Internet of things isolate the main connected IoT devices, such as laptops or, smartphones from the rest using a separate network or Wi-Fi. LAN

Your refrigerator and laptop should not be on the same network, the FBI said.

Cybersecurity experts from the bureau recommend using two Internet gateways: one for devices that store confidential data, and the other for digital assistants, such as home security devices, smart watches, gaming systems, fitness trackers, thermostats, smart light bulbs, etc. It is also recommended that you change all factory default passwords.

According to the FBI, IoT devices should be connected to isolated sources

According to the FBI, potential vulnerabilities in IoT devices allow hackers to access the router network, thereby providing access to other connected devices in the home network. The creation of separate network systems will prevent intruders from invading major devices.

In addition, experts recommend the use of microsegmentation. Available in the firmware of most WiFi routers, this feature allows router administrators to create virtual networks (VLANs) that behave like different networks, even if they work on the same router.

In general, the FBI proposed the following principles of digital defense:

Change the factory device settings from the default password.
Passwords must be as long and unique as possible for all IoT devices.
Many connected devices work in conjunction with mobile applications. These apps can run in the background and use default permissions you weren't even aware of. Find out what personal information these apps collect and adjust permissions.
Make sure all your devices are updated regularly.^[8]

105 million attacks on IoT devices recorded in the first half of the year

On October 16, 2019, it became known that in the first half of 2019, specialists from Kaspersky Lab using hanipots (a resource that is a bait for attackers) recorded 105 million attacks on IoT devices originating from 276 thousand unique IP addresses. This figure is seven times more than in the first half of 2018, when about 12 million attacks with 69 thousand were discovered. IP addresses. Using the weak protection of IoT products, cybercriminals make more efforts to create and monetize IoT botnets.

The number of cyber attacks on IoT devices is rapidly increasing, as more and more users and organizations are acquiring smart devices, such as routers or video recording cameras, but not everyone cares about their protection. Cybercriminals, in turn, see more and more financial opportunities in the use of such devices. They use networks of infected smart devices to conduct DDoS attacks or as a proxy server for other types of malicious actions.

According to the collected data, attacks on IoT devices are not complex, but they are hidden enough so that users do not notice them. The Mirai family of malware was used in 39% of all attacks that used exploits that allowed botnets to compromise devices, exploiting old vulnerabilities, and control them. In second place was the Nyadrop family of malware (38.57%) using the Brufors technique. Nyadrop also often served as a Mirai loader. The third most common botnet was Gafgyt (2.12% of all attacks).

The researchers also identified countries that were more likely than others to be sources of infection in the first half of 2019. 30% of all attacks occurred in China, in Brazil - 19%, followed by Egypt with an indicator of 12%. In the first half of 2018, the situation was different - Brazil led with an indicator of 28%, China ranked second (14%), Japan third (11%).

Source countries of Telnet attacks on Kaspersky Lab hanipots

IoT is a fruitful area for attackers who use even the most primitive methods, such as guessing combinations of passwords and logins for authorization in the system. Users very often use common combinations, such as "support/support," followed by "admin/admin," "default/default"^[9].

Among the states from whose territory attacks on Kaspersky Lab hanipots came, China was in first place, Brazil was in second; further with a gap of 0.1% went Egypt and Russia. Observed trends in general remained for 2018 and 2019 with little changes in the rating of the countries by the number of the attacks ^[10]].

20 most active attackers and their ASN (based on analysis of IP addresses of attackers)

Trend Micro found out how cybercrime groups use devices IoT

On September 10, 2019, Trend Micro published a study, Uncovering IoT Threats in the Cybercrime Underground, which describes how cyber-criminal groups use IoT devices for their own purposes and what threats this poses.

Trend Micro analysts investigated the darknet, finding out which vulnerabilities are IoT most popular among cybercriminals, as well as in which languages cyber pool participants speak. During the study, it turned out that the Russian language was among the five most popular in Darknet. In addition to Russian, the top 5 languages of the Darknet contain English, Portuguese, Spanish and Arabic. The report presents an analysis of five cybercrime communities classified according to the languages that they use to communicate. Language turned out to be a more important unifying factor than geographical location.

The Internet of Things has become an important part of modern society. The increase in the number of IoT devices makes them a desirable goal for cybercriminals, forming a new threat landscape. Manufacturers often condone cybercriminals by releasing products without any security features. As a result, such devices join the ranks of the next botnet and work for the benefit of the cyber terminal.

The main driving force that controls the actions of the cybercrime community is money. In this regard, hackers consider vulnerabilities IoT not on their own, but in the context of possible monetization. That is why the study focuses not on vulnerabilities and attacks, but on business models used by criminal communities.

The Russian-language cybercrime market, according to Trend Micro, is the most complex and most prosperous of all cited in the study. It sells fresh vulnerabilities for routers, modified firmware for electricity meters. Here they discuss the hacking of gas stations, sell and buy boots based on IoT devices.

Among the main areas of monetization of hacked devices, IoT in the study distinguish their use for organizing DDoS attacks and as VPN output nodes. In both cases, criminals sell their services to other community members.

Of great interest among the Russian-speaking underground are cryptomainers for Android-based devices, and this is not about smartphones, the limited capacity of batteries of which does not allow them to be used for profit, but about smart TVs, consoles and other devices.

Russian hackers are actively looking for the possibility of modifying and selling specialized firmware for intelligent gas, water and electricity meters, since the Russian government has authorized the replacement of all utility meters with smart ones connected to the Internet. Judging by reports on the forums, so far there is only one monetization plan - to physically sell modified meters as a means of saving on monthly utility bills for electricity, water and gas. Perhaps in the future, hacking smart meters will become a new way of criminal earnings, but as of September 2019, hacking these devices is more like hacktivism than professional attacks, noted Trend Micro.

As a result, Trend Micro experts share a forecast of IoT-related threats for the next 12-18 months (2019-2020):

Reduce the number of hacked routers because most attacks involve changing DNS settings that are easy to prevent. If ISPs and router manufacturers begin to protect these settings, new attack vectors may appear.
The increase in attacks on industrial devices of the Internet of Things (IIoT), and extortion will be used as a vector of monetization.
New tools for IoT/IIoT attacks and the popularity of two major commercial malware sets for IoT.
Introduce more complex threats, such as low-level rootkits or firmware infection.
New original ways to monetize the infection of smart devices.
Develop an ecosystem of automated attacks.

2018: Nokia Threat Intelligence Report

In November 2018, Nokia published a report according to which the share of IoT botnets among all malware in the networks of communication service providers in 2018 increased to 78%. This is more than twice as high as in 2016, when they began to talk about botnets as a significant threat. It is predicted that in 2019 the situation will only worsen. More details here.

2017

Gemalto: Consumers do not have confidence in the safety of devices IoT

Gemalto released data in October 2017: it turns out that 90% of consumers do not trust the security of Internet of Things devices (Internet of Things or IoT). That is why more than two thirds of consumers and almost 80% of organizations supported governments taking measures to ensure IoT safety.

The main concerns of consumers (according to two-thirds of respondents) concern hackers who can establish control over their device. In fact, this is more worrying than data breaches (60%) and hackers' access to personal information (54%). Despite the fact that IoT owns more than half (54%) of consumers (on average, two devices per person), only 14% consider themselves well aware of the safety of these devices. Such statistics show that both consumers and enterprises need additional education in this area.

As for the level of investment in security, the survey showed that manufacturers of IoT devices and service providers spend only 11% of their total IoT budget on ensuring the security of IoT devices. The study showed that these companies really recognize the importance of protecting the devices and data they generate or transmit, and 50% of companies provide security based on a project approach. Two thirds (67%) of organizations report the use of encryption as the main method of protecting assets IoT with 62% data encryption immediately upon reaching the IoT device, and 59% when leaving the device. Ninety-two percent of companies saw an increase in sales or use of the product after the introduction of IoT security measures.

Support for safety rules is IoT gaining momentum

According to the survey, companies support provisions that make it clear who is responsible for ensuring the safety of devices and data IoT at each stage of their application (61%) and what are the consequences of non-compliance with security (55%). In fact, almost every organization (96%) and every consumer (90%) needs government-level Internet of Things security regulations.

Lack of comprehensive partnership opportunities

Fortunately, companies are gradually realizing that they need support in understanding technology IoT and turn to partners for help, giving the most preference to cloud service providers (52%) and IoT service providers (50%). The main reason for this appeal is most often the lack of experience and skills (47%), and then the help and acceleration of the deployment of the Internet of Things (46%).

While such partnerships can benefit businesses when implementing the IoT, organizations recognize that they do not have full control over data collected by IoT products or services when they move from partner to partner, potentially leaving them unprotected.

HomeHack vulnerability takes control of LG IoT devices SmartThinQ

Check Point Software Technologies Ltd., a provider of cybersecurity solutions worldwide, announced on October 26, 2017 the discovery of HomeHack, a vulnerability that could leave millions of home smart devices SmartThinkQ at risk of hacking and remote management. HomeHack allowed Check Point researchers to create a fake LG account and then use it to take possession of the LG user's account and smart devices.

Control of smart devices

Vulnerabilities in mobile and cloud applications LG SmartThinkQ allowed Check Point researchers to remotely log into the cloud application SmartThinQ, and, taking possession of the LG account, gain control over the vacuum cleaner and the video camera built into it. Having gained control of the account of a particular LG user, the attacker can control any LG device or device associated with this account, including vacuum cleaners, refrigerators, stoves, dishwashers and washing machines, hairdryers and air conditioners, the company said.

User Surveillance

Vulnerability HomeHack gives hackers the opportunity to monitor the home life of users using the video camera of the robot vacuum cleaner Hom-Bot, which in real time sends video to the LG SmartThinQ application as part of the HomeGuard Security feature. Depending on the models of LG devices, attackers can also turn on and off dishwashers or washing machines.

A video showing how an attack can be carried out through vulnerability HomeHack

Vulnerability Fixed

Check Point discovered the vulnerability on July 31, 2017 and reported it to LG, respecting the privacy policy. LG eliminated vulnerabilities in Annex SmartThinQ at the end of September.

How to protect yourself

To protect against possible hacking of mobile applications and devices, LG SmartThinQ Check Point recommends that users:

Upgrade LG SmartThinQ to the latest version (V1.9.23). This can be done through the Google Play Store, the Apple App Store, or through the settings of the LG SmartThinQ application.
Upgrade your Smart Home devices to the latest version. You must click on the "smart home product" under the SmartThinQ toolbar (if an update is available, the user will receive a pop-up alert).

About SmartThinQ Devices

Smart devices and SmartThinQ security solutions from LG allow users to check and maintain the condition of their home from a smartphone. According to LG, in the first half of 2016 alone, sales of the Hom-Bot robotic vacuum cleaner exceeded 400 thousand units. In 2016, 80 million smart devices were sold worldwide - 64% more than in 2015.

Hackers attacked the university's IV device network

Companies and organizations around the world are increasingly facing cyber attacks that can stop or seriously slow their business operations, according to a report from Verizon (spring 2017). In particular, security experts cite the example of an unnamed American university, which faced a major hacker attack through a network of more than five thousand IoT devices on campus^[11].

Experts call this type of attack a "botnet fence." Initially, representatives of the university's IT services registered many complaints about a slow or completely inaccessible connection to the Internet to the campus. After checking, it turned out that - DNS servers the university's networks made a huge number of requests, and also created many subdomains with names associated with seafood. After a more detailed investigation, more than five thousand separate devices were identified that sent hundreds of DNS requests every fifteen minutes.

"Among these devices, almost everyone belonged to the network segment that makes up our Internet of Things infrastructure. The situation was extremely difficult, since today cyber-attack specialists are well prepared to fix problems with third-party access to computers or servers, but do not have the slightest idea what to do in the event of an attack on Internet of Things devices, except, except for, a complete replacement of each beverage machine and each lamppost, "the Verizon report says

The study showed that the botnet that captured the network of Internet of Things devices at the university spread from one device to another, picking up access to devices with weak or completely absent passwords using a complete search technique. To regain control over compromised devices, university experts used a special algorithm that allows you to intercept the passwords of hacked devices and then quickly replace them before the malware has time to update.

2016: Hackers hacked the toilet for the first time

Futuristic high-tech toilets are very vulnerable to cyber attacks. This was proved by a group of hackers working in the security division of Panasonic, wrote in February 2016 Mirror^[12].

The head of the unit, Hikohiro Lin, said that the smart toilet, which is controlled through a Bluetooth wireless connection using a smartphone, is very easy to hack. As a result, hackers gain access to all the capabilities of the device - for example, they can turn on the descent of water at any time and frighten a toilet visitor.

According to the researchers, the reason for the easy hacking was the standard password, which is set by the manufacturer and almost never changes by the users themselves.

"Whenever someone uses the toilet, we can control everything," said Hikohiro Lin. It is worth noting that, according to many experts, developers of devices for the "Internet of things" pay too little attention to security issues. As a result, hackers, using vulnerabilities in software, can steal the personal data of device owners.

Security Standardization

2019: Russian experts became co-editors of the international standard of the Internet of Things in the field of security

On June 11, 2019, it became known that the Technical Committee 194 "Technical Committee of Cyber-Physical Systems (TC 194)" of Rosstandart, created on the basis of RVC, representing the Russian Federation, received the status of co-editor of the international standard ISO/IEC Internet of Things technology. More details here.