{"id":1667,"date":"2019-05-01T03:05:59","date_gmt":"2019-05-01T03:05:59","guid":{"rendered":"http:\/\/kusuaks7\/?p=1272"},"modified":"2023-07-21T11:40:32","modified_gmt":"2023-07-21T11:40:32","slug":"heres-how-internet-of-things-malware-is-undermining-privacy","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/iot\/heres-how-internet-of-things-malware-is-undermining-privacy\/","title":{"rendered":"Here\u2019s how Internet of Things malware is undermining privacy"},"content":{"rendered":"

The Internet of Things (IoT) is increasingly part of our everyday lives, with so-called \u201csmart\u201d speakers especially popular, But for all their undoubted technical merits, they also represent a growing threat to privacy, as\u00a0this blog has reported before<\/a>.<\/p>\n

<\/p>\n

There are several aspects to the problem. One is that devices with microphones and cameras may be\u00a0monitoring what people say and do directly. Sometimes users may not even be aware that there is a microphone present,\u00a0as happened with Google\u2019s Nest<\/a>. Another is\u00a0the leakage of sensitive information\u00a0from the data streams of IoT devices. Finally, there is the problem summed up by what is called by some \u201cHypp\u00f6nen\u2019s law<\/a>\u201c: \u201cWhenever an appliance is described as being \u2018smart\u2019, it\u2019s vulnerable\u201d.<\/p>\n

Mikko Hypp\u00f6nen is Chief Research Officer at F-Secure, which offers security products and services. The company has released an interesting report that delves more deeply into the issue of people\u00a0finding and using flaws in IoT devices<\/a>. It\u2019s a rapidly growing problem. In part, that\u2019s because there are now billions of IoT products used in homes and connected to the Internet. One report estimates\u00a0there are already seven billion IoT devices<\/a>, a number predicted to triple by 2025. That huge pool of potentially vulnerable systems makes it worthwhile trying to break into them. It\u2019s something that is reflected in the growth in threats directed at IoT devices. According to the F-Secure report, IoT threats went from one every few years in the early part of this century, to five in 2016 and 2017, and 19 in 2018. The rapid rise is also a reflection of the poor security of IoT systems:<\/p>\n

thanks to the security problems commonly found in these devices, they present attackers with low hanging fruit to pick. According to F-Secure Labs, threats targeting weak\/default credentials, unpatched vulnerabilities, or both, made up 87% of observed threats.<\/p><\/blockquote>\n

One popular tool for attacking IoT systems is\u00a0Mirai<\/a>. Originally, it would scan the Internet looking for exposed IoT systems. It would then try some 60 combinations of credentials in an attempt to gain control of anything it found. The open source nature of the code meant that people could and did build on the original malware, and increase its power. Within three months of the code\u2019s release, the number of credentials it used had climbed to 500.<\/p>\n

As the F-Secure report details, more recently there have been significant developments in IoT malware. For example, IoT_Reaper moved on from simply applying hard-coded passwords in the hope that they would unlock a system. Instead, it tries using 10 known vulnerabilities in HTTP control interfaces, most of them in publicly-facing IP and CCTV cameras, both of which have become common. Clearly the ability to access and control these cameras means that the privacy of people risks being seriously compromised. By contrast, the Hide N Seek malware, which builds on IoT_Reaper\u2019s methods, prefers to install cryptominers, which generate virtual currency. Although the damage might seem indirect in this case, it\u2019s important to remember that the devices are still under the control of criminals, and therefore pose a risk to privacy.<\/p>\n

In 2018, VPNFilter appeared, which F-Secure speculates may have been developed by Russian-backed actors to attack Ukraine. As well as targeting Supervisory Control and Data Acquisition (SCADA<\/a>) systems used in manufacturing and the maintenance of infrastructure, VPNFilter also attacks domestic routers:<\/p>\n

At this point, the most vulnerable device in the home may be the one that connects most of the other devices to the internet. More than 8 out of 10 home and office routers were vulnerable to hacking, according to a 2018 study by the American Consumer Institute. This included five of the six major brands. It\u2019s entirely possible that a router might have been hacked without the user even knowing it. With a technique called DNS hijacking, hackers can redirect traffic to a phishing website, where consumers may offer up a credit card number or login credentials.<\/p><\/blockquote>\n

A more general problem is that once an attacker is inside a home network, whether through vulnerabilities in a router or a camera, for example, it is possible that other IoT devices on it will be open to attack. Sometimes devices are abused not by external actors that have by-passed security measures, but by the very people who installed them. For example, the F-Secure report mentions how IoT devices are increasingly being used against victims of domestic abuse. The New York Times\u00a0reported on this worrying trend last year<\/a>, noting that \u201cAbusers \u2013 using apps on their smartphones, which are connected to the internet-enabled devices \u2013 would remotely control everyday objects in the home, sometimes to watch and listen, other times to scare or show power. Even after a partner had left the home, the devices often stayed and continued to be used to intimidate and confuse.\u201d<\/p>\n

Even though poor security and abuse of IoT systems are a serious and growing problem, legal remedies are slow in coming. One of the most forward-looking moves comes from the UK government. Last October it released a\u00a0Code of Practice for consumer IoT security<\/a>, which contains a number of important ideas, notably that the security of personal data should be protected. But the Code of Practice is purely voluntary, which means that its impact will be limited.<\/p>\n

Existing legislation may provide a more effective way of tackling IoT\u2019s threat to privacy. As readers of this blog know,\u00a0the EU\u2019s GDPR law<\/a>\u00a0is proving to be a powerful weapon for defending personal data and tackling abuses. It may be that the GDPR can be used to curb some of the worst problems of IoT systems, at least in Europe.<\/p>\n

Serious fines are available to the authorities under the GDPR \u2013 up to 4% of a company\u2019s global turnover, wherever it may be located. That means that the security of IoT devices will probably improve in order to avoid liability under the GDPR \u2013 at least those from the mainstream manufacturers. Outfits producing cheap devices, for example in China, may be less worried by the threat of EU fines. Since it hardly makes sense to improve the design of a device for just one region, the hope has to be that pressure from the GDPR will cause the more responsible IoT manufacturers to pay more attention to privacy wherever they sell their products.<\/p>\n

Featured image by\u00a0F-Secure<\/a>.<\/p>\n

This column first appeared in Privacy News Online.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Internet of Things (IoT) is increasingly part of our everyday lives, with so-called “smart” devices. But for all their undoubted technical merits, they also represent a growing threat to privacy. There are several aspects to the problem. One is that devices may be monitoring what people say and do directly. Another is the leakage of sensitive information from the data streams of IoT devices. Finally, there is the problem summed up by what is called by some “Hyppönen’s law“: “Whenever an appliance is described as being ‘smart’, it’s vulnerable”.<\/p>\n","protected":false},"author":542,"featured_media":2594,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[195],"tags":[93],"ppma_author":[3202],"class_list":["post-1667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iot","tag-internet-of-things"],"authors":[{"term_id":3202,"user_id":542,"is_guest":0,"slug":"glyn-moody","display_name":"Glyn Moody","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"Moody","first_name":"Glyn","job_title":"","description":"Glyn Moody is a Freelance Journalist, Author, and Speaker. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics. He is a contributor to Ars Technica UK, Techdirt, The Guardian, The Daily Telegraph, The Financial Times, The Economist, Wired, New Scientist, and numerous computing titles. He has written over 1500 articles for Techdirt, and over 400 for Ars Technica UK, and 427 columns in the Computer Weekly.\n\n "}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/542"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1667"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1667\/revisions"}],"predecessor-version":[{"id":28231,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1667\/revisions\/28231"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/2594"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1667"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}