Security researchers at Kaspersky have decided to take a look at IoT devices and their lack of security measures. The results of their experiment, once again, confirm that Internet of Things devices still lack adequate security measures even today, after so many years during which many cybersecurity vendors complain about their vulnerabilities.
In their most recent experiment, Kaspersky selected four random IoT devices, which they carefully analyzed for any security vulnerabilities. The results are a bit alarming given that all the flaws can be linked together and provide criminals with an attack scenario that they can follow and gain access to so-called "smart-homes".
Google Chromecast (USB TV dongle for streaming video)
The first step for such attacks can occur when using the famous "rickrolling" vulnerability in devices of the Google Chromecast which allows attackers to influence the content presented on a smart TV.
This can be useful for displaying error messages that trick the user into believing that they need to change their password. Wi-Fi or reset the local wireless router to factory default settings, which can be easily exploited by attackers.
Smart coffee maker (controlled via a smartphone app)
Kaspersky researchers also identified a smart cafe that can expose the user's Wi-Fi password.
Kaspersky declined to name the make and model of the coffee machine, as the vulnerability has not yet been patched.
As you can imagine, a target's Wi-Fi password can give criminals access to all of a person's IoT devices, since they all work and use the network Wi-Fi of the house.
IP camera (used in baby cameras and monitors)
In the Kaspersky scenario, by exploiting the access that the coffee machine gave the attackers, exposing the password of the Wi-Fi, they can then spy on the homeowners and see when they leave their house.
Criminals can do this by connecting to the local camera IP, if available, but also to baby monitoring devices.
Home security systems
Once criminals learn that the homeowner is not at home, they can exploit a fourth security issue discovered by Kaspersky staff in an anonymous home security system.
While the researchers were pleased to find that the home security system was very well protected against software attacks, they could not say the same for the hardware.
Obviously, there is a way to fool the two sensors, contact and motion, used by the system. The researchers found that by using a very powerful magnet, intruders could open doors and windows without triggering the alarm.
Moreover, since motion detection sensors only work with "hot" objects, putting on some clothes that hid the body heat of the criminal was enough to make the sensors go silent.
All we need now are criminals who know what to look for.
