The consumer advice group Which? set up a fake home and filled it with connected products bought from online marketplaces: smart TVs, printers and wireless security cameras, besides less usual gadgets such as Wi-Fi kettles. Researchers then connected them to the internet, exposing them to online threats and malware created by real cyber criminals.
Working with cyber security firm NCC Group and the Global Cyber Alliance, Which? looked for unique scanning attempts – a technique used to locate online devices that exists in a legal grey area and is a potential gateway used by hackers – and hacking attempts, a clear breach of UK law, the Computer Misuse Act, Which? points out.
The researchers saw 1,017 unique scans or hacking attempts in the first week of testing, with at least 66 of these being for malicious purposes. That figure rose to 12,807 unique scans or attack attempts against the home devices in the busiest week, including 2,435 specific attempts to maliciously log into the devices with a weak default username and password. That equates to 14 attempts every hour by real hackers to infiltrate the devices.
The most targeted devices in the testing were an Epson printer, an ieGeek branded wireless camera and a Yale smart home security system. All three devices were purchased from Amazon. While the hacking traffic was global, the vast majority appeared to originate from the USA, India, Russia, the Netherlands and China. Which? found spikes of activity during the 9-6pm period; that is, of the typical UK working day. This suggests that criminals know this is when people will be using their devices, potentially for work during the pandemic, and so they have more chance of hitting a target.
While not all scanning is malicious, and some is even semi-legitimate, malicious hackers use port scanning to find weak and vulnerable devices to prey upon, Which? points out.
Which? acknowledged that in the UK the Product Security and Telecommunications Infrastructure Bill is expected to be introduced in 2022, that aims to regulate insecure connected products. Among its provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’, will be made illegal.
The consumer campaign group wants to see online marketplaces and retailers given more obligations for ensuring the safety and security of the products sold on their sites, regardless of whether the seller is a third party.
Kate Bevan, Which? Computing Editor, said: “While smart home gadgets and devices can bring huge benefits to our daily lives, consumers should be aware that some of these appliances are vulnerable to hackers and offer little or no security. There are a number of steps people can take to better protect their home, but hackers are growing increasingly sophisticated. Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”
Fennel Aurora, Security Advisor at the cyber firm F-Secure, said: “Unfortunately, these “spray and pray” attacks continue to be used because they are effective. For decades, and still today, we have seen the tried-and-true approach of sending a few million spam emails or scanning the whole internet for old and badly configured Windows machines – which remains extraordinarily profitable for attackers. As technology advances, the same approach is adapted to new targets, so for many years now we see the same technique of scanning for misconfigured cloud resources and for vulnerable IoT devices, like this instance. For example, Mirai took the whole country of Liberia offline in 2016 using exactly this “scan the whole internet for IoT with ridiculously simple vulnerabilities” approach.”
Credit: Source link