Since Mobile World Congress takes place in Barcelona, security product vendor Avast took aim at the Internet of Things there. Among the findings in this latest research experiment, Avast discovered there were more than 22,000 webcams and baby monitors which are vulnerable to attack. Of course this is not a problem only in Spain, but hacking vulnerable baby monitors and webcams to spy on unsuspecting people in their homes is especially creepy and invasive.
Avast has a habit of conducting Wi-Fi experiments at big events such as the Republican National Convention and Mobile World Congress 2016. The research for MWC 2017 dived deeper than IoT flaws in Barcelona as Avast also took a look at IoT security in Spain and found it lacking. It found more than 5.3 million vulnerable smart devices in Spain, 493,000 of those in Barcelona.
As for hackable webcams and baby monitors, Avast found 150,000 in Spain which are just waiting to be attacked. Avast CEO Vince Steckler said, “If webcams are set to livestream for example, hackers or anyone can connect, making it easy for cybercriminals to spy on innocent Mobile World Congress trade show visitors, or oblivious school pupils, workers or citizens nearby. That in itself is a privacy minefield.”
Yet the IoT security issues involve much more than baby monitors and other types of webcams. For example, Avast found over 79,000 vulnerable smart kettles and coffee machines in Spain.
Steckler suggested that instead of spying on people via hackable webcams, it is a far more likely possibility that cybercrooks will hijack “an insecure webcam, coffee machine or smart TV to turn it into a bot which, as part of a wider botnet, could be used in coordinated attacks on servers to take down major websites.”
That’s not out of the realm of possibility, since Avast found more than 444,000 devices in Spain which are using the Telnet network protocol. Telnet, the company pointed out, was a protocol abused to create the Mirai botnet that attacked DNS provider Dyn and brought big parts of the internet to its knees in 2016.
Future IoT attacks, according to Steckler, could involve cybercriminals harvesting “personal data, including credit card information from unsuspected IoT users.”
Avast tapped into Shodan to find the vulnerable smart devices, pointing out that anyone could do the same. The MWC 2017 experiment “proves just how easy it is for anyone - including cybercriminals - to scan IP addresses and ports over the Internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.”
Steckler added, “With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable. And even if the devices are password protected, hackers often gain access by trying out the most common user names and passwords until they crack it.”
Avast recommends using the Android app Avast Wi-Fi Finder, which will be updated this summer to include the ability to automatically scan Wi-Fi networks for vulnerable devices. The app will provide step-by-step instructions to remediate identified security issues.
On March 1, Steckler is scheduled to participate in a MWC 2017 live demo showing how IoT devices can be infected and become part of a botnet.