The IoT industry is booming: from connected cars to traffic lights, home security systems, connected toys and smart speakers, the IoT market has been growing for some time and is due to reach 31 billion connected devices by 2020 and 75 billion devices by 2025.
Internet-connected home devices like Alexa, the Ring doorbell, Apple’s Homepod and Google Nest allow users to control and monitor their connected devices from smartphones, or other networked devices, order groceries,stream music and more.
They are convenient, and for that reason, they’ve grown very popular.
The COVID-19 pandemic sparked a massive change in work-from-home policies. Many companies have adjusted well and many will allow employees to continue working from home even after the crisis has ended - and this poses serious implications for corporate and organizational cybersecurity.
"The 'S' in IoT stands for security"
As the old (2016) joke goes: - there is no “S” in “IoT. For an industry that is booming, security is overlooked - almost on the verge of being negligent.
Most people will dismiss the severity of the case by saying something along the lines of “Who the heck cares about my TV/doorbell/Intercom/Smart speaker?” Well, they’re somewhat right. Except they’re also wrong: those “dumb” smart devices are low hanging fruit for hackers/threat actors to gain access - and then escalate from there. Your IoT devices are connected to other devices in your home, and in Corona times, if you’re working from home, your corporate network is most likely exposed.
Your average IoT device is the target of an average of five attacks per day, with midnight being the most common time for execution – as users tend to be less active and won't witness devices’ strange behaviors. Every second—127 new IoT devices are connected to the web. During 2020—experts estimate the installation of 31 billion IoT devices.
Do the math.
From Trolling to Controlling
Hackers gain access to resources using credentials sold on the dark web - usernames/email addresses and passwords. Since most people use the same passwords for every website, account or app it acts as a multiplier for a list effectiveness: when one company’s accounts are compromised, hackers can use the same list to access accounts on other companies with the same usernames and passwords.
Since most internet-connected home tech devices are loosely secured, hackers can gain access using relatively easy techniques, and wreak havoc. Compromising images taken from in-home could be used for blackmail - this is kids’ stuff. But here is where it gets interesting, and here is where it can get real ugly, real fast. It gets real with hackers “pivoting” from a router or virtual assistant to assets like laptops or desktops. As more people work from home, they sit beyond a rather secured perimeter of their corporate network. Access to IoT devices could eventually allow hackers to insert ransomware on a company laptop, extract sensitive company data, or use masquerading/credential stuffing to escalate privileges on corporate networks.
Masquerading and Credential Stuffing
When it comes to unauthorized access, those attacks are the highest threat against smart home systems. Since many users reuse the same username/password combination across multiple sites (with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts), and since the 2019 Mega-leak of personal data made a billion usernames and passwords available, it’s already easy for hackers to leverage IoT flimsy security as a starting point for privilege escalation attempts on corporate networks. It’s like having a scarecrow guard your data servers: it might be very funny but certainly highly impractical.
Security teams need to take a hard look at the security hygiene of their employees and strengthen security beyond encouraging two-factor authentication, encrypted laptops, and enforcement of unique password policies. It requires continuous reconnaissance of underground resources, and thwarting leaked data in real-time, before it comes knocking on their corporate door, or actually, ringing their smart doorbells.
For a closer look at how the dark web puts users of smart home devices, and their employers, at risk – and for best practices to mitigate this threat – download Sixgill’s full report Knock, Knock! When the Underground Comes A-knocking: Hack & Exploits of Smart Home Devices.