Computer, phoneswebcams, routers Wifiheadphones Bluetooth. THE smart devices They are so naturalized in our daily life that it is difficult for us to imagine life without them. Yet these can represent a problem for the security of our personal data.
The thing with hyperconnectivity is that while it solves many of our tasks, it also expands what is called attack surface: The amount of digital “space” criminals have to commit a cybercrime.
According to the latest IoT Analytics report from Palo Alto Networks, the number of artifacts from Internet of Things (IoT) connected reached 12.3 billion last year and is expected to exceed that 27 billion connections by 2025.
This trend continues to steadily increase: “By 2023, we will see an increase in the coordinated activity of physical and computing environments targeting critical infrastructure. In the private sector, the security of users’ physical devices against coordinated attacks leveraging Internet of Things (IoT) and OT (operational technology) systems will be a key concern.
“IoT connectivity has become one of the most used tools today: they already represent more than 50% connected devices to the Internet all over the world. But this comes with risks and some threats that can damage not only our equipment, but ours as well intimacy”, says Arturo Torres, threat intelligence strategist for Fortinet’s FortiGuard Labs in Latin America and the Caribbean.
In this sense, there are a series of measures and practices that can pose a threat to users: from granting permission to applications thirdconnect via bluetooth or to an unsafe WiFi network, even dangerous webcams and “clouds”, these are the risks various experts warn against.
“Third-party” app permissions.
Third-party permissions come into play when we authorize to an application to use our data that may be sensitive, such as our address book, camera or location.
“Most IoT devices require the end user to download and install an application on their mobile phone for control. Many of these applications require useless permissions due to the nature of the device in question,” Emmanuel Di Battista, a security analyst, explained to Clarín.
Let’s take an example: smart lamps that are regulated with an app. These are connected to the WiFi of the house. “It is common for them to request the user’s location, when, logically, the user cannot be in another location that is not close to the device; or the request for access to the mobile camera -with the idea of ”scanning” the QR codes in the lamp box-, or even to send notifications”, he develops.
This is potentially dangerous and, in most cases, unnecessary. “Most users blindly agree to grant all requested permissions in perpetuity. Many of these platforms also require the user to sign up to ‘register’ their devices, providing even more personal information,” he adds.
In this case it is better to deny all permissions that are not strictly necessary.
Bluetooth: the risks
“Bluetooth has historically been one of the protocols with the highest adoption but also with more vulnerabilities. Taking into account that it is a protocol used by a large number of devices (smart and not), these failures tend to compromise many manufacturers and models of the most varied devices”, analyzes the expert.
There is also a known vulnerability from 2017: “It is about bluebornea type of attack that chains 8 bluetooth protocol vulnerabilities in order to execute arbitrary instructions on the victim’s device without the latter having any interaction in the process (so-called zero-click),” he comments. Carrying out an arbitrary instruction implies that a hacker can take control of our device.
“This attack – as expected – affected different operating systems and devices in the same way. Among these affected devices were the most popular digital assistants of the moment: Google Home and Amazon Alexa. By abusing this vulnerability, an attacker could send arbitrary commands to these devices,” she concludes.
Therefore, seemingly innocent devices that connect via Bluetooth, such as home assistants, can be a weapon for cybercriminals.
Webcams, a very coveted target
THE webcams They can be an attack target. In this case, the invasion of privacy can be huge if a hacker manages to access it remotely. Considering that they are not only found in computers, but also in building entrances, homes and even private domestic environments, it is a gadget that can become against the user with relative ease.
“It is recommended to buy recognized brandsbecause these brands generally have some type of process for vulnerabilities, failures, ongoing updates that can help you avoid some type of information theft or attack,” warns Torres of FortiGuard Labs.
It also insists on Passwords, in this case, of systems in which we will install or use a webcam integrated into the equipment. “It is always recommended that these devices have strong passwords, as if we have them by default, anyone can access them.”
WiFi networks
One of the biggest problems has to do with the connections to public Wi-Fi networks. These pose a risk as it is not possible to be sure that the connection between the device and the modem is secure.
It’s very common to go to a coffee shop and plug in your computer or phone. Or even in co-working spaces like WeWork.
However, it should be noted that it is not safe to connect to any available network, and you should be careful if you do.
insecure clouds
The so-called “cloud”, i.e. the use of computational resources of other companies such as AWS, Azure and Oracle, implies an implicit trust in the systems of these companies.
However, they might have a security hole as well vulnerability.
In this sense, it is advisable to use the best known ones to make sure they have infrastructures behind them and, above all, good ones backups of the information we upload. The following problem is related to this point.
Databases exposed or unprotected
“Many smart devices use data storage in the cloud that do not respect the best security and privacy practices, exposing their users’ information publicly many times”, warns Di Battista.
Obviously, depending on each device, the potentially leaked information is different: it always depends on what accesses the device has.
“Depending on the nature of the artifact, the information that can be leaked varies: the position user physique, keys used on the service platform or even device usage data such as recordings audio and/or video,” he explains.
In 2019, he says, 2 billion records from the Chinese company Orvibo They were discovered in an insecure database and publicly exposed to the internet. “These records contained user passwords, password change confirmation codes (tokens) and even smart camera recordings.”
All IoT devices are subject to database exposure – the more online technology used, the larger the attack surface.
Corporate responsibility
Finally, it is worth reviewing the liability of companies that produce smart devices.
“Companies have an obligation comply with the laws of each country in which they operate that have to do with the protection of the data of its citizens, who will be users of these services”, explains Carolina Martínez Elebi, Communication graduate from the University of Buenos Aires and founder of DHyTechno .
“The protection of privacy also passes through the information security that guide This, as we have seen in recent years, is increasingly being violated even in large companies that one would expect from a more robust development of cyber security”, critical.
In this sense, Elebi distinguishes between infringement due to negligence and the design of products and apps: “Some are violated due to negligence of the person who administers and manages the archived data. In other cases, user privacy it is not directly respected because this invasion of privacy is part of the business model itself, and if they find a way to overcome the legal barriers, they will.”
In this scenario, the expert recommends having digital hygiene when using these devices and most importantly, configure them. Even if, from now on, the user has more to lose: “In principle, before buying a new electronic device or using a new service, it is important to think that for everything we use, we will have to accept the conditions that the companies that provide that gadget or that service that we will use. There is very little leeway that we have as users to decide what these conditions will be like”, he reflects.
“Some apps ask us to give them permission to access the camera, microphone, address book, location, among other things, and this is not always something you need to work with. So, do we want to grant permissions and access to our entire phone just to play for a few minutes? Many people think so without analyzing what this impliesand that is what the Cambridge Analytica company took advantage of when it wanted to collect user data on Facebook for political campaigns in various countries,” he concludes, in line with the warnings of cybersecurity experts.
As for the technician, Torres closes with 2 pieces of advice: “It is always advisable to have all the IoT devices inside a completely isolated network to the operation or even to the guests, so that only they can live there, separated, and in case of any data breach [filtración]that nothing could get out of control.”
“The other point is to always keep these devices updated: you need to have some kind of strategy where the same supplier or manufacturer has the possibility to update them, send some kind of report or worst case notify you if there has been a data breach”, concludes Torres.
Source: Clarin
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.