Mobile World Congress 2017: Avast CEO demonstrates security threats targeting IoT devices

Stefanie Smith 1 Mar 2017

Avast’s Vince Steckler showcased IoT threats and spoke about the importance of securing devices to protect consumers at GSMA’s Enabling IoT Security conference.

 

Today, our CEO, Vince Steckler, took the stage at Mobile World Congress to discuss current threats targeting Internet of Things (IoT) devices, how consumers are affected, and how the industry needs to come together to secure these devices.

On stage with him was a router, a webcam, a smart coffee machine, and a smart kettle. He used these smart devices to demonstrate how they were unprotected by carrying out a cyberattack on them live on stage.

20170301_143903.jpg

The future of IoT

Vince began his talk by introducing our connected world today, where most of us use IoT devices for everyday tasks, such as tracking our steps on our smart watch or controlling the temperature in our homes, all without a second thought. As more smart devices flood our homes, the number of devices we welcome into our homes will increase exponentially in the next few years.

Industry figures predict this growth in no uncertain terms. Juniper Research believes the number of IoT devices will increase by 285% by 2020, meaning there could be 38.5 billion connected devices in the world three years from now. Vince then posed the key question: Is security important when it comes to IoT devices?

IoT devices are low hanging fruits for hackers

Many, if not all, smart devices in our homes connect to the router. Using our Wi-Fi Inspector feature, we investigated the status of Avast users’ routers and found that almost 41% of Avast users have a router with a software vulnerability, a weak/default password protecting their router, or an open network. Vince pointed out that these figures illustrate how routers are often vulnerable, which in turn also puts IoT devices connecting to the router at risk.

Vince then posed the question: How secure is Barcelona? Avast had carried out research using Shodan.io prior to Mobile World Congress to investigate how secure IoT devices in Barcelona and Spain are and found 493,000 unsecured IoT devices in Barcelona and 5.3 million in total across Spain. This broke down to 150,000 hackable webcams in Spain and 22,000 in Barcelona alone. Across Spain, we detected 79,000 smart kettles and coffee machines that were open to attack.

Having presented these shocking stats, Vince then invited our Threat Intelligence Researcher, Filip Chytry, on stage to help him show the audience some of the prevailing threats targeting these sorts of unsecured connected devices by carrying out the live attack on the smart devices on stage.

20170301_144541.jpg

Filip began by infecting the webcam on stage with code used by the Mirai botnet, which took down popular sites like Twitter and Reddit last year. Filip then infected the kettle with the Mirai malware and used it to trigger the kettle to boil water. Next the coffee machine was infected and like the kettle, the coffee machine was commanded to start brewing.

The implications of IoT threats for consumers

Vince then addressed the issue of the implications these threats have for consumers and what really is the worst that could happen. Many consumers don’t bother to change the default password or adjust any specs of their router from the day they install it. Webcams and other connected devices are sold without built-in security and even if these IoT devices are vulnerable, how many of us would think of updating our refrigerator's firmware, for example?

Apart from it seeming malicious for a hacker to share images taken by a webcam, a lot of us don’t see what the problem is. However, we should consider that we as connected citizens are all responsible for securing our devices, not just to protect ourselves, but others too. This becomes especially true when you take into account how many more connected devices will enter our lives in the upcoming years and the potential damage that can be done when hackers abuse these devices which increasingly, will hold more sensitive information about us.

Bringing the industry together to take on IoT security

Vince then proposed three simple steps on how the industry can come together to tackle IoT security in order to prevent future attacks.

Firstly, we need to start making connected devices and sensors “secure by design”. At this practical level, the industry can secure the gateway and keep improving detection rates. If we think about putting security first, is should be implemented from the very beginning, featuring it at the design stage, planning for layering security in as a necessity - instead of viewing it as a ‘nice to have’.

Secondly, everyone across the industry needs to step up. Most consumers aren’t even aware there is a problem let alone what the solution would be. While nearly all industry manufacturers are under pressure to cut costs, make margins and ship quickly to market, the real costs of not incorporating security need to be considered.

Thirdly, Vince explained that the industry cannot expect consumers to know what to do. Security is complicated even when made easy, because technology is moving so quickly. The industry needs to find a way to help users educate themselves on the responsibility they have to their own homes and families and also to the wider connected community to secure their connections. The industry then needs to give users back control - and make it easy for them to understand what devices they need to secure and how they need to secure them.

Where next for IoT security?

Wrapping up his presentation, Vince proposed industry players including Avast should seek to collaborate to put three things into place:

  1. Open standards development - a framework of general security rules the entire industry can get behind.
  2. A framework for cross-industry collaboration.
  3. Agreed accountability - a commitment to doing security checks whether we are in hardware or software for anything that connects to the internet

Vince concluded by saying that there is no simple solution to this problem, which will only become more complex over time, but the opportunity is to focus on IoT security now rather than leaving it until more serious issues come to light.

--> -->