Smart devices vulnerable to attacks

Cyber criminals can take over any gadget that is able to connect to the Internet - including your smart wristband, your router, and even your smart rice cooker - to launch attacks.

Mr Michael Lee, security evangelist at RSA Asia Pacific & Japan, told The New Paper: "If it can be connected to the Internet, it's a possible candidate to contribute to an attack."

Two such attacks occurred on Saturday and on Monday, taking down the Internet on StarHub's broadband network for about two hours each time.

StarHub said its own customers' machines were used in the distributed denial of service (DDoS) attack.

A DDoS attack uses multiple hacked devices that can connect to the Internet. These devices are then controlled by the hacker to overwhelm a specific server with requests or traffic, such as log-in requests, causing the server to be unreachable or unavailable.

In a reply to TNP's queries, StarHub said that it was unable to confirm the types of devices used in the attacks until their staff visit the affected customers' homes.

However, Internet of Things (IoT) devices played a large role in a recent DDoS attack against United States-based DNS service provider Dyn. (See report above.)

Hackers used Mirai, a malware (short for malicious software) that hijacks Internet-connected video cameras and other IoT devices. Owners who have not changed their devices' default passwords are especially vulnerable.

The attack brought down sites including Twitter, the Guardian, Netflix, Reddit and CNN for about two hours.

Research company Gartner estimated last year that around six billion connected gadgets and appliances will be in use worldwide this year. The number will reach 20.8 billion by 2020.

The lack of security for these devices are a concern among cyber security experts contacted by TNP.

The executive vice-president and managing director for Asia Pacific for Cloud Security Alliance, Mr Aloysius Cheang, did not mince his words when he spoke to TNP about how IoT devices can be hacked.

He said that security for devices such as wristbands, webcams, rice cookers and speakers is "lousy".

"How much information can I squeeze into a Bluetooth speaker? How can I put in a firewall? As long as they have your password, they can control it," he said.

Mr David Maciejak, head of FortiGuard Lion R&D team for Asia Pacific, said IoT manufacturers prefer to compromise security in order to quickly release new products to the market.

And in many cases, the software in these devices cannot be updated to patch flaws.

Mr Maciejak said: "The only way for consumers to tell which IoT devices are more secure is to rely on some sort of trusted third party to evaluate them.

"The consumers cannot tell from the naked eye and it's not reliable to ask the device manufacturers."

BETTER PROTECTION

For better protection, consumers who have such IoT devices should immediately change the default passwords of their gadgets.

Mr Cheang said that it is important to change default passwords because the Mirai malware can quickly and spontaneously take over a smart device if it has a default password.

Most smart devices come with a touchscreen panel that you can change passwords with.

Mr David Freer, vice-president of Intel Security Group, Consumer, Asia Pacific, said: "For baby monitoring cameras or web cameras at home, one has to set proper passwords and avoid using default passwords and settings during installation of home cameras.

"Sync with the manufacturer for the latest patches and maybe even set up cloud storage."

The early adaptors may have to revise their budgets. Experts advised those who have bought smart devices, whose password cannot be changed, to replace them with new devices that have "proper administration and management functions".

leeganjp@sph.com.sg

This article was first published on October 28, 2016.
Get The New Paper for more stories.