Cybercrooks could easily watch people in private and public spaces via webcams, stream the video directly to the internet, or turn the device into a bot.
Out of all the cybercrimes from malware to social engineering, the creepiest has to be a stranger watching your child through a webcam or baby monitor in their room. As this year’s Mobile World Congress starts in Barcelona, Avast researchers reveal that half a million smart devices in the city, including webcams and baby monitors, are currently vulnerable to cyber attack.
Thousands of mobile and technology industry executives are at Mobile World Congress 2017 this week. The Avast experiment shows these professionals and the public that the smart devices making up the Internet of Things (IoT) are at risk if intercepted by cybercriminals. Until it is addressed, this growing problem will only worsen as the number of devices connected to the internet increases.
IoT device vulnerabilities open you up to attack
Together with IoT search engine specialists Shodan.io, Avast identified more than 22,000 webcams and baby monitors in Barcelona that are vulnerable to attack. That means that with very little effort, a cybercriminal could livestream videos from these devices directly to the internet.
“If webcams are set to livestream, for example, hackers or anyone can connect, making it easy for cybercriminals to spy on innocent Mobile World Congress trade show visitors, or oblivious school pupils, workers or citizens nearby,” said Vince Steckler, CEO at Avast.
With a little extra effort and know-how, hackers can also find out the type of device – whether it’s a webcam, printer, coffee machine, refrigerator, etc. - what brand it is, model, and the version of software it is running.
“In the future, we could also see cases where cybercriminals harvest personal data, including credit card information from unsuspecting IoT users,” said Steckler.
Problem grows as number of devices increases
The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, garage doors, thermostats, and other IP-connected devices connected to the internet. With hundreds or thousands of vulnerable devices, cybercriminals can create a botnet capable of taking down servers and websites. When a device is infected, it could infect other devices, add them to a botnet, or take control over them and do harm to their owner. This includes kitchen and other household devices, to which cybercriminals can give remote orders, for example, to heat up water in a kettle.
“With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable,” said Steckler. “And even if the devices are password protected, hackers often gain access by trying out the most common user names and passwords until they crack it.”
In the experiment, Avast found:
More than 5.3 million vulnerable smart devices in Spain, and more than 493,000 in Barcelona
More than 150,000 hackable webcams in Spain and more than 22,000 in Barcelona
More than 79,000 vulnerable smart kettles and coffee machines in Spain
More than 444,000 devices in Spain using the Telnet network protocol, which is a type of protocol that was abused to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of internet sites like Twitter, Amazon, Reddit, etc.
Secure your connected devices
To be aware of vulnerabilities and secure all connected devices against unwanted attacks, users need to contribute to making the online world a safer place by keeping software updated and choosing strong, complex passwords. Find out how to secure your home network.
Additionally, Avast will soon launch a new feature in its Avast Wi-Fi Finder Android app. Avast Wi-Fi Finder lets users find secure and high-speed Wi-Fi when on the go. In the new version, the app will automatically scan Wi-Fi networks for vulnerable devices, and allows users to address any security issues by providing step-by-step remediation instructions. The app will be updated with the new scanner feature in the summer.