Internet-connected home devices like Alexa, the Ring doorbell, Apple’s Homepod and Google Nest allow users to control and monitor their connected devices from smartphones, or other networked devices, order groceries,stream music and more.
They are convenient, and for that reason, they’ve grown very popular.
The COVID-19 pandemic sparked a massive change in work-from-home policies. Many companies have adjusted well and many will allow employees to continue working from home even after the crisis has ended - and this poses serious implications for corporate and organizational cybersecurity.
"The 'S' in IoT stands for security"
As the old (2016) joke goes: - there is no “S” in “IoT. For an industry that is booming, security is overlooked - almost on the verge of being negligent.
Most people will dismiss the severity of the case by saying something along the lines of “Who the heck cares about my TV/doorbell/Intercom/Smart speaker?” Well, they’re somewhat right. Except they’re also wrong: those “dumb” smart devices are low hanging fruit for hackers/threat actors to gain access - and then escalate from there. Your IoT devices are connected to other devices in your home, and in Corona times, if you’re working from home, your corporate network is most likely exposed.
Your average IoT device is the target of an average of five attacks per day, with midnight being the most common time for execution – as users tend to be less active and won't witness devices’ strange behaviors. Every second—127 new IoT devices are connected to the web. During 2020—experts estimate the installation of 31 billion IoT devices.
Do the math.
From Trolling to Controlling
Hackers gain access to resources using credentials sold on the dark web - usernames/email addresses and passwords. Since most people use the same passwords for every website, account or app it acts as a multiplier for a list effectiveness: when one company’s accounts are compromised, hackers can use the same list to access accounts on other companies with the same usernames and passwords.
Since most internet-connected home tech devices are loosely secured, hackers can gain access using relatively easy techniques, and wreak havoc. Compromising images taken from in-home could be used for blackmail - this is kids’ stuff. But here is where it gets interesting, and here is where it can get real ugly, real fast. It gets real with hackers “pivoting” from a router or virtual assistant to assets like laptops or desktops. As more people work from home, they sit beyond a rather secured perimeter of their corporate network. Access to IoT devices could eventually allow hackers to insert ransomware on a company laptop, extract sensitive company data, or use masquerading/credential stuffing to escalate privileges on corporate networks.
Security teams need to take a hard look at the security hygiene of their employees and strengthen security beyond encouraging two-factor authentication, encrypted laptops, and enforcement of unique password policies. It requires continuous reconnaissance of underground resources, and thwarting leaked data in real-time, before it comes knocking on their corporate door, or actually, ringing their smart doorbells.
For a closer look at how the dark web puts users of smart home devices, and their employers, at risk – and for best practices to mitigate this threat – download Sixgill’s full report Knock, Knock! When the Underground Comes A-knocking: Hack & Exploits of Smart Home Devices.