Late last year, the news was full of stories about smart cameras that had been hacked. The stories ranged from “Hackers accessed a Ring camera in their 8-year-old daughter’s room” to “Ring security camera hacks see homeowners subjected to racial abuse, ransom demands.”
While these stories were surprising and disturbing, for those of us in the security industry it wasn’t actually breaking news that smart cameras were vulnerable. What was more surprising was that it was almost 2020 and that we were still seeing these breaches to smart or connected devices.
Now, shortly after the story initially broke and a few weeks after CES, the conversation has already moved on. As internet-connected devices not only turn homes into ‘smart homes’, but expose consumers to cyber-attacks in their everyday lives, the industry needs to bring its attention back to these issues and identify potential solutions.
2013’s Problems, 2020’s Technology
Research from 2013 – the early days of the Internet of Things (IoT) – found that smart TVs could be breached with relative ease. In the 7 years since, threats have become exponentially more advanced, launched by well-funded cyber-criminal groups and nation-state proxies and leveraging automation and AI. And yet the people hacking into Ring cameras weren’t highly-technical or using AI. They were Script Kiddies using credentials found and traded on the Dark Web to access devices that did not use 2FA or other additional security mechanisms. Imagine what a truly advanced attacker could do.
It’s no surprise then, that almost every type of IoT device has also been compromised in the last 7 years. As a threat analyst, I have helped companies identify hundreds of IoT devices, from insecure smart refrigerators and CCTV cameras, to compromised video conferencing systems and biometric scanners.
Cyber-attackers have been taking advantage of the weaknesses of IoT to infiltrate company’s networks for many years. What is new is the way attackers are now focusing their attention towards consumer devices. Many of the technologies and innovations protecting IoT devices across company networks are geared towards corporations, placing consumers in a vulnerable position.
At the same time, consumer-grade devices are inadvertently or intentionally introduced to a corporate environment. It’s impossible to enforce enterprise-grade security controls on these devices because they were never designed for the enterprise. Gaining visibility over these devices and monitoring them closely is really the only path forward for corporations. Let them in the front door, but watch them closely for when they deviate.
The success of ransomware over the last 12 months has only spawned more cyber-criminal organizations and more variants of ransomware. Yet as businesses implement technology that can detect and stop ransomware and other machine-speed threats in their tracks, we should expect to see ransomware evolve. I have anticipated that ransomware will expand into the consumer-sphere for some time now, and with Ring cameras we’re starting to see this new reality emerge.
During one Ring camera hacking incident, the attacker demanded that the family pay them 50 bitcoin, threatening physical violence if they didn’t comply. In this instance no ransom was paid and there was no violence, but subtle changes to the attack will make this a more dangerous tactic – consider it the new age of “swatting”.
Smart cameras aren’t the only technology that an adversary could use to extort ransom from everyday Americans. An attacker could program your thermostats to 85 degrees, or to 45, only changing it when you paid a ransom. An adversary could manipulate your smart locks, locking you out of your house. At CES earlier this month, numerous new smart home devices were announced – ranging from electrical plugs, to wall panels, to shower heads. The list of smart home devices is endless and attackers are endlessly creative.
Given my background, I’m somewhat paranoid when it comes to these devices – even I have some of them in my own home. We face the problem of whether society will realize the risk, or if the convenience will outweigh that risk. Are we already too late?
Who’s to Blame?
In the wake of the Ring hacks, much of the coverage attempted to identify who was responsible. Was it the producers of the cameras for not alerting users to anomalous log-ins? Was it the families who didn’t have 2-factor authentication enabled? Is Ring unreasonable to expect its users to implement 2FA?
The responsibility is shared. Developers of these devices should assume that consumers will not be practicing perfect – or even good – cyber hygiene. Simply forcing them to do so is a step in the right direction. That being said, if it is the responsibility of the developers, companies run the risk of losing market share by making devices too complex to use.
This will be a long-term problem, and we can’t begin to address it if we don’t know where to start. The conversation needs to focus on tangible actions that the industry can take to move forwards. In 2020, homes will only become more connected and consumers more vulnerable.
Companies have been making strides – building more security features into their IoT systems, providing more information to consumers about the potential risks – but cyber-actors move faster than large corporations. Has anyone looked at all the CES devices this year and evaluated which are more secure than others? Should consumers be given a risk score to using certain devices?
Cybercriminals are a creative bunch, spending countless hours finding loopholes and ways to exploit or break what has been fixed. The industry needs to come up with a long-term solution: one that can keep pace with cyber-threats as they evolve, and keep up as new IoT devices are released.