Cyber Security Hub takes a deep dive into smart devices and whether they can hold up against cyber attacks targeting them.
In December 2022, Cyber Security Hub asked a range of experts to predict what threats would dominate the cyber security threat landscape in 2023. Tina Grant, quality assessor at UK-based aerospace company Aeorspheres, predicted that cyber attacks targeting smart devices would rise.
As artificial intelligence (AI) and machine learning (ML) have developed, the technologies have been integrated more fully into smart devices, from lightbulbs and speakers to cars and doorbells. With a predicted 75.4 billion Internet of Things connected devices installed worldwide by 2025, it is no surprise that smart devices are predicted to increase as a cyber attack target throughout 2023.
This article will explore the ways in which malicious actors can target smart devices and how companies are attempting to fight against them.
Contents:
Smart speakers can be used as wiretaps
In December 2022, cyber security blogger Matt Kune was awarded US$107,500 from Google after discovering and reporting a bug that meant Google Home smart speakers could be essentially turned into wiretap devices.
Using a Google Home mini, Kune discovered that any attacker close enough to wirelessly connect to a Google Home speaker could “install a ‘backdoor’ account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim’s other devices)”.
Using the ‘routines’ feature in the Google Home app, Kune was able to set up malicious routines, including calling any device linked to the Google Home account (e.g. a potential victim’s mobile phone) at specified times. Once the phone call was accepted, Kune was able to listen to himself speaking via the Google Home microphone.
While Kune said this was “pretty cool” in isolation and when enacted on himself by himself, he noted that malicious parties could use this vulnerability to spy on victims if they gained access to their Google Home network. He suggested that they may be able to do this if victims were targeted with a social engineering attack which prompted them to download a malicious app, which would allow hackers to link their device with the victim’s Google Home.
Next, Kune tested to see if hackers could gain access to a victim’s Google Home network without the need for a social engineering attack. So, he attempted to force the smart speaker to disconnect from the Wi-Fi network by “launch[ing] a deauth[entication] attack” against the router. Also known as deauth attacks, this attack vector targets the deauthentication frames of a device, which are not encrypted. By targeting these frames, attackers can force the device to disconnect from its Wi-Fi network.
After forcing the smart speaker to disconnect from the Wi-Fi router, Kune discovered that the speaker immediately made its own separate network.
“I connected to the network and used netstat to get the router’s IP (the router being the Google Home) and saw that it assigned itself the IP 192.168.255.249. I issued a local API request to see if it would work. I was shocked to see that it did! With this information, it’s possible to link an account to the device and remotely control it,” Kunes explained.
Discover more about Kune’s investigation here.
These issues have since been fixed by Google, however, the potential ramifications from unsecured smart devices should not be dismissed.
Targeting smart speakers connected to smart networks
Once an attacker has access to a victim’s smart speaker, depending on how many other smart devices they have connected to their network, malicious parties can set up any number of disruptive routines including calling their or other household member’s mobile phones, loudly playing music or even disrupting other smart devices such as TVs or lights.
If a victim has further smart technology integrated into their home such as a smart climate control system or thermostat, smart home security system or smart cameras, this could allow hackers to lock or unlock doors and windows, severely heat or cool their home or even film and/or broadcast footage of them within their home.
An example of this was seen in 2019 in the US state of Wisconsin when hackers gained access to and took over a Milwaukee couple’s smart home via their Google Nest account. Samantha Westmoreland discovered that the system had been hacked after her smart thermostat was used to turn the home’s temperature up to 90 degrees Fahrenheit (32 degrees Celsius) and “vulgar” music was played through a smart speaker. Westmoreland also reported that a voice began speaking to her and her husband through the Nest security camera that was installed in their kitchen.
Google said that the hack was the result of Westmoreland using a password for the Google Nest account that had been compromised in a data breach, allowing hackers access to any number of accounts also using the same credentials. The company recommended that those with smart home capabilities use Google’s “additional tools and automatic security protections such as Suspicious activity detection, 2-Step Verification and Security Checkup” to prevent attacks such as these.
Westmoreland was deeply affected by the attack, noting that the smart home system had been bought to make her house feel more secure, and instead she “didn’t feel safe”.
While the smart device attack against the Westmorelands appears to be an untargeted attack, it should be noted that malicious parties can use cyber attacks to gain access to smart device networks to target specific victims.
UK-based domestic abuse organization Refuge notes that smart devices can be used by abusers to cause distress to their victims. With 48 percent of those surveyed by Refuge unable to name a single device that could be vulnerable to hacking, the need for education around securing home networks is clear.
Smart doorbells can be used to spy on victims
In December 2022, two men were charged with participating in a swatting spree after they allegedly hacked into the smart doorbells of dozens of people.
The pair, James Thomas Andrew McCarty and Kya Christian Nelson, who went by the aliases Aspertaine and ChumLul, respectively, were accused of stealing the login credentials to victim’s smart doorbells to log into their video recording capacity, then using this video recording capacity to stream footage of the victims getting swatted.
According to the Department of Justice (DoJ) for the Central District of California, the pair allegedly acquired login credentials of Yahoo email accounts belonging to victims across the US, then used the credentials to find out if the owners of said accounts had a Ring doorbell, and used the same login credentials to attempt to log in to victim’s Ring accounts, using the video monitoring feature to gain further information about their victims and to stream the footage of the victim’s houses being raided by SWAT teams in response to their false reports.
The DoJ gave an example of a swatting attack allegedly carried out by the pair, stating: “On November 8, 2020, Nelson and an accomplice accessed without authorization Yahoo and Ring accounts belonging to a victim in West Covina. A hoax telephone call was placed to the West Covina Police Department purporting to originate from the victim’s residence and posing as a minor child reporting her parents drinking and shooting guns inside the residence of the victim’s parents.
“Nelson allegedly accessed without authorization a Ring doorbell camera, located at the residence of the victim’s parents and linked to the victim’s Ring account, and used it to verbally threaten and taunt West Covina Police officers who responded to the reported incident.”
The spree of attacks even prompted the FBI to issue a warning to those with Ring doorbells, urging them to “practice good cyber hygiene by ensuring they have strong, complex passwords or passphrases for their online accounts, and should not duplicate the use of passwords between different online accounts”, and to reset their passwords frequently.
Owner of the Ring company, Amazon, took immediate steps to protect customers once news of the hacking and attacks broke. To combat the attacks, Amazon made two-step verification mandatory and now conducts regular scans for Ring passwords compromised in non-Ring data breaches as well as investing in cyber security solutions to harden its own defenses against attacks.
What is swatting?
“Swatting” refers to the practice of malicious actors making false reports of extreme violence, kidnapping or terrorism to the police and giving them the victim’s address with the sole purpose of sending armed officers to their home. These attacks can have devastating consequences.
In 2017, Andrew Finch of Kansa, America was fatally shot by a police officer during a swatting attack after it was claimed that Finch was armed and dangerous.
Finch was an unintended victim of the attack, which was instigated by online gamer Casey Viner. The swatting’s target was intended to be fellow gamer Shane Gaskill, as the pair had argued over a $1.50 bet on a Call of Duty: WWII game which culminated in Viner threatening to swat Gaskill. Gaskill, however, gave him a false address, which actually belonged to Andrew Finch and his family.
Viner hired serial swatter Tyler Raj Barriss to carry out the attack. Barriss called Wichita police, posing as a man named Brian, and claimed that he had shot his father, was currently holding the remaining members of his family hostage and was preparing to self-immolate. When police arrived at the address supplied by Barriss, Finch exited the house to investigate why they were there and was shot by an officer. He later died in hospital. Finch had no relation to Viner or Gaskill, or Call of Duty: WWII.
Barriss was arrested in connection with the crime and later plead guilty to involuntary manslaughter. He was sentenced to 20 years imprisonment. Viner was jailed for 15 months and banned from playing video games for two years.
Smart cars can be hacked into and remotely controlled
In her prediction, Grant forecast that cyber attacks targeting smart devices will predominantly affect autonomous devices with multiple points of attack, for example smart cars.
Grant said: “Today’s automobiles come equipped with automatic features including airbags, power steering, motor timing, door locks, and adaptive cruise control aid systems. These vehicles use Bluetooth and Wi-Fi to connect, which exposes them to a number of security flaws or hacking threats.
“With more autonomous vehicles on the road in 2023, it is anticipated that attempts to take control of them or listen in on conversations will increase. Automated or self-driving cars employ an even more complicated process that demands stringent cybersecurity precautions,” she explains.
The dangers of this have already been explored by David Columbo, a cyber security researcher and founder of cyber security software company Columbo Tech.
So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022
In a series of tweets in January 2022, Columbo explained that he had hacked into and gained remote access to “over 20 Tesla’s[sic] in 10 countries” allowing him to “remotely run commands on 25+ Tesla‘s[sic] in 13 countries without the owners’ knowledge”. While Columbo did not have “full remote control” – meaning he could not remotely control steering, acceleration or braking – he noted that even some remote-control access was dangerous.
To demonstrate this, Columbo joked about using his newfound abilities to prank the affected Tesla owners by playing Rick Astley’s ‘Never Gonna Give You Up’ through their speakers. He then acknowledged that while this may seem innocuous, the ability to remotely play loud music, open windows or doors or flash a car’s headlights repeatedly could put not only the driver’s but other motorists’ lives in danger, especially if the car was driving at speed or in a busy area.
If drivers are distracted, this can have fatal consequences; The US Department of Transportation found that in 2019, over 3,100 people were killed and about 424,000 were injured in crashes involving a distracted driver. One in five of those killed by distracted drivers were not motorists themselves and were pedestrians, cyclists or not inside a vehicle for any other reason.
After Columbo alerted Tesla of the vulnerability, the company investigated the issue, then notified him that they had immediately revoked the access tokens and notified the owners of the issue.
Smart device producers should learn from past vulnerabilities
Smart devices are targets for hackers because of their ability to wreak havoc if they are compromised. If someone has multiple, interconnected smart devices, this not only opens up more points of attack for hackers to target, but also means that hackers can gain access to all their smart devices if one is compromised.
While companies work rapidly to patch and rectify any vulnerabilities they are alerted to, the fact remains that it may not always be white hat hackers that discover these vulnerabilities. In the case of Ring doorbells, multiple people had already been terrorized by the time Amazon became aware of the issue.
Relying on ethical hackers to discover issues, or rapidly addressing security flaws after they have been found by black hat hackers is not good enough both in terms of threat defense security strategy and in terms of keeping those who own smart devices safe.
While smart devices may always be an attractive target to hackers, companies who make them should look at vulnerabilities that have been exploited in the past at the forefront of their software design to ensure they are as secure as possible before they are released to the public. While these vulnerabilities may not always be detectable, if it becomes apparent that they can be exploited by malicious actors, companies should work as rapidly as others have in the past to solve these issues before too much damage is done.