Targeting IoT technology – Security vulnerabilities for cybercriminals

IoT technology, or the networking of devices via the internet, has been a growing buzzword in recent years. Smart home is an area in which IoT - Internet of Things - is increasingly appearing in the private sector. After all, who needs analogue devices when every device in the future can connect to the internet, thus exchanging data more quickly? But in addition to the opportunities, IoT poses plenty of high risks, especially in the area of cybersecurity. In this blog, we give you an insight into the world of IoT technology and its potential dangers.
 

Cybercriminals have also been quick to discover the opportunities available in the area of IoT for themselves. Inexpensive devices, in particular, don't exactly boast an array of sensible security features. As the BSI reported back in 2018, a case came to light regarding an IP surveillance camera from the manufacturer Fredi.¹ Heise also reported on "glaring security gaps". Through this IoT device, it was possible for attackers to intercept the video and audio stream and penetrate even deeper into the connected network. But it's not just the companies that make such devices that are to blame. Often these streams are only protected by simple authentication (username and password). If the end-users do not change the default password or choose an insecure password, the gateway for an attack is that much greater.

The most common examples of IoT devices are probably Alexa, USB dongles for streaming video, such as Google Chromecast, or home security systems. But there are now also countless other examples, such as "smart" coffee machines. The following is undoubtedly the most curious IoT encounter I have experienced in the last few years:

"eRosary" – the smart rosary for prayer support

The development by Acer and the Vatican supports users in praying various rosaries. At the same time, it is probably also possible to monitor one's fitness.

In addition to this curious example, there is also an IoT device that I personally couldn’t do without. My smart robot vacuum cleaner. As I write this article, the idea that my robot is already navigating around my home and vacuuming my floor and that I can control all this via an app is quite appealing. But to be honest, I took this really useful device out of service last month. The Chinese app, which records an exact floor plan of my flat and unintentionally sends a lot of data packets, was a bit too unsafe for me.

To prevent any of your IoT devices from being misused by cybercriminals, we recommend the following measures:

• Before making a purchase, weigh up whether the risk of data being collected outweighs the device’s function.
• Change the access data pre-set by the manufacturer, especially if the device can be accessed via the internet.
• Restrict access to the device via the internet, e.g. by only allowing access from certain IP addresses.
• If possible, activate multi-factor authentication.
• Disconnect the device from the mains and power if you will not be using it for an extended period of time.

If you have already been the victim of an attack or suspect that you have been, you should reset the device to factory settings as soon as possible. You should also search the internet for any known security vulnerabilities and see if you can prevent them when you use the device again. If you suspect that sensitive data has been lost, you should also consult external experts.

¹Sicher Informiert vom 05.08.2018 in: BSI [online] https://www.bsi-fuer-buerger.de/SharedDocs/Newsletter/DE/BSIFB/BuergerCERT-Newsletter/2018_Sicher-Informiert/14_Sicher-Informiert_05-07-2018.html [11.01.2021].