Smart home devices like Alexa, the Ring doorbell, and Google Nest allow users to check the weather, monitor home deliveries, stream music, and a lot of other things. They are convenient, and for that reason, they’ve grown incredibly popular.
These devices, however, have given hackers a cheap and easy way to invade privacy, spy on private moments, and bully families.
In most cases, threat actors are breaking into these systems for fun. They troll innocent victims from afar to entertain themselves.
The trolling and bullying that dominate home tech hacks obscure more serious security risks attached to these devices. The ease with which hackers gain access to home tech devices poses serious implications for corporate and organizational cybersecurity as millions of workers have started working from home amid the coronavirus pandemic.
Our research team recently scanned the dark web for mentions of internet-connected virtual assistants and security devices. These systems can include the name-brand devices like Alexa and Nest, as well as other connected cameras, doorbells and door locking mechanisms, alarm systems, and thermostats, among others. They commonly fall under the category of Internet-of-Things (IoT) devices.
Unlike the vast majority of dark web schemes, we didn’t find that the goal of intrusions into these devices was connected to immediate financial gain. For the most part, hackers accessing IoT devices seem primarily interested in trolling and spying.
But our research also uncovered powerful evidence that the administrators of dark web forums make strategic calculations about the kinds of crimes they allow on their systems - and that they see home tech hacks as a significant risk.
Censoring the Hackers
After trolls used unauthorized access to a family’s Ring camera to spew racist obscenities, several dark web administrators banned the discussion Ring systems on their forums. While we could not find an explicitly stated reason for the ban, it appears that the administrators feared media attention of the hacks could bring unwanted scrutiny on the forums themselves.
Such actions are not without precedent. Child pornography is generally prohibited content in “mainstream” underground forums and marketplaces for both moral reasons and because such content can draw the attention of authorities. Similarly, some underground marketplaces have also banned the sale of fentanyl, which has been under intense scrutiny from law enforcement as a result of the opioid epidemic.
While the very nature of some forums and marketplaces is illegal activity, there is belief that avoiding some pursuits may redirect the surveillance of investigators elsewhere. The administrators of one forum do not leave any room for confusion on this matter. Just prior to the forum’s decision to ban Ring/Next content, a threat actor provides an apology for how a recent trolling session may have placed a “target on” the forum.
Beyond Trolling: A Looming Threat
The COVID-19 pandemic sparked a massive change in work-from-home policies. Many companies have adjusted well and many will allow employees to continue working from home even after the crisis has ended. This requires security teams to take a hard look at the security hygiene of their employees and enforce new policies to fit the bill.
Primarily, hackers gain access to IoT devices with information that is commonly bought and sold on the dark web: email addresses and passwords. Consumers tend to use the same password over and over. When accounts for Company A are compromised, hackers buy that list and use the emails and passwords to gain access to accounts at companies B, C, D, and E.
But because most smart home devices require the users to establish an account, hackers can gain access to these systems using relatively easy techniques, and cause serious damage.
Compromising images taken from in-home could be used for blackmail, hackers could also “pivot” from a router or virtual assistant to assets like laptops or desktops. That’s a serious risk to companies. As more people work from home, they sit beyond the rather secure perimeter of corporate networks. Access to IoT devices could eventually allow hackers to insert ransomware on a company laptop, or ex-filtrate sensitive company data.
That’s one reason many cybersecurity professionals recommend two-factor authentication, use of encrypted laptops, as well as applying unique passwords for each device and access points..
Unlike the vast majority of dark web schemes, we didn’t find that the goal of intrusions into these devices was connected to immediate financial gain. Hacking smart home devices remains a hobby for technically sophisticated trolls. The rewards are low, and the risks of additional scrutiny are high enough that some forums have banned discussions of it.
But that could change rapidly. As the increased number of remote employees increases the number of endpoints, it may also create new avenues to monetize these hacks. The ease with which hackers gain access to these devices makes it vitally important that security researchers monitor developments in this space.
For a closer look at how the dark web puts users of smart home devices at risk – and for best practices to mitigate this threat – download Sixgill’s full report Knock, Knock! When the Underground Comes A-knocking: Hack & Exploits of Smart Home Devices.