Do your digital due diligence
How can companies protect themselves from digital attacks? Cybersecurity consultant Vishvas Nayi of CyberQ Group lifts the lid on the murky world of hacking.
How exactly can you get hacked by smart devices? Here is what happens in practical terms:
There are multiple ways someone can get hacked by/through a smart device. With the increasing popularity of smart devices leading to the Internet of Things (IoT), the surface of attack is growing every day. Another thing to note is that, unlike computers and phones which have had a heavy focus from the cybersecurity industry, IoT has not had the same scrutiny and testing.
How can companies protect themselves from digital attacks? Cybersecurity consultant Vishvas Nayi of CyberQ Group lifts the lid on the murky world of hacking.
How exactly can you get hacked by smart devices? Here is what happens in practical terms:
There are multiple ways someone can get hacked by/through a smart device. With the increasing popularity of smart devices leading to the Internet of Things (IoT), the surface of attack is growing every day. Another thing to note is that, unlike computers and phones which have had a heavy focus from the cybersecurity industry, IoT has not had the same scrutiny and testing.
There also doesn’t seem to be a standardised process followed by the industry when designing and manufacturing new IoT devices, so each one is either completely different or a company will reuse parts between the smart devices they sell. This means if you can get into one device, then the chances are high that you will be able to get into any other device which uses the same building blocks.
From an attacker’s point of view, here’s how an attack would occur
1. They notice that the organisation or the person they are targeting is using a particular smart device (smartwatch, TV, home system, car, a voice-enabled personal assistant such as Amazon’s Alexa or Google’s Google Assistant).
2. They do some research online to see how the device is built, both regarding hardware and software. Then they see if the hardware or software in the smart device has vulnerabilities which are already public knowledge.
Most IoT devices use software/firmware which is very old and has no way of self-updating for the latest security patches, so attackers can use vulnerabilities that are months or even years old to target them.
If the hacker is skilled in programming and has a good understanding of the underlying architecture of the device, then they can write their own exploit (a method to gain access) and attack the device.
Most attacks rely on publicly known exploits which are shared/sold on forums and the darknet.
3. They exploit the vulnerability and reset the device to settings which will allow them to have access at all times from that point onwards. It should be noted that most attacks use an IoT device as a gateway into an organisation or someone’s home.
4. They use the smart device to scan for any other connected devices, which will probably be on the same network – such as routers, computers, laptops and phones.
5. They will “hop” from the smart device to another
device and extract sensitive information from a computer or infect a laptop or phone with malware, which will then spread to any other network or connected devices.
6. Hackers usually wait months – until they have infected hundreds or thousands of devices – before actually doing any of the bad things like locking down systems using ransomware, or using the affected devices to launch distributed denial of service (DDoS) attacks.
How can companies try to prevent this happening?
Businesses can take a few simple precautions to reduce the surface of attack to smart devices:
Change the default password on the device.
Check and update it regularly. Buy devices from trusted manufacturers with a good reputation that have this feature, because many do not.
Check the firmware used on the device and find out if there have been any exploits available for it. If it is out there, it is probably being used by hackers.
Put smart devices on a separate network, if possible.
Get a cybersecurity professional to test the device or the network where the devices will be located.
Five ways to protect against cybercrime
1) Use strong passwords or passphrases
Do not reuse your password on devices and websites that you use.
People reusing passwords is one of the biggest weaknesses hackers target. If you don’t want to use a password manager, then move away from passwords to passphrases. They are longer in characters (the longer they are, the harder they are to crack), and can be a sentence from your favourite book, or whatever you fancy.
This way you can have a sentence associated for each of your sites, and will not fall into the habit of either reusing passwords or setting up ones which follow a pattern an attacker can figure out quickly.
The top 10 passwords have changed around in ranking positions but have still been the top 10 for several years. The general public knows about this issue but turns a blind eye to it. On one of our recent client engagements, we were able to crack over 60% of around 4,000 staff passwords within minutes.
Some common passwords of 2018:
Password
111111
Qwerty
Sunshine
iloveyou
2) Tidy up your social media and information sharing
Lock down social media accounts – go through your friends list and delete anyone you do not know or have much interaction with.
Make sure what you share is seen by friends only and is not public information if it is something sensitive. The less you share publicly, the better. Attackers can get a lot of information about you if you do not lock accounts down.
3) Stay updated
Operating system providers such as Microsoft, Google and Apple regularly push out security enhancements and patches to their products. Keeping your devices updated is the easiest and quickest way of increasing personal cyber protection. We all know Windows is more vulnerable to attacks than the Mac operating systems owing to the greater number of Microsoft users and the length of time it has been around. Windows OS does come with Windows Defender, which is not the best anti-virus software. However, it is free and gets regular security updates. Anti-virus software cannot stop all forms of attack, but it will protect you from the vast majority of them.
4) Backup
There is nothing worse than losing your files, photos, music and games when you have either been attacked by ransomware, which has locked your computer and is asking for money to be unlocked, or you lose or break one of your devices or hard drives. The best solution is to do a monthly backup of your core information to an external hard drive (external hard drives are cheap and regularly on sale). If the worst were to happen, you have only lost data since your last backup. Services such as Google Drive can upload to the Cloud daily.
5) Watch your VPN
Far too many people still check their bank accounts, send sensitive information and log into social media over public WiFi at cafes, restaurants and even buses. Hackers can easily create their own WiFi access point and call it “Costa Coffee WiFi” and people will connect to it. The end-user will browse the internet like normal, but the hacker is sitting in between them and the internet, capturing information such as e-mails, passwords and what website you are visiting. A virtual private network (VPN) creates a secure connection between the end device and the internet so even if someone is trying to tap into the user’s data in between, they will not get any useful information out of it.
Top three most dangerous (unexpected) appliances:
Connected cars
Smart watches
TVs
