Danger from an iron: how the smart home can become a problem for the owner
Threats of Internet of Things’ development and modern approaches to cyber security discussed in Moscow
A key cyber security event — Positive Hack Days, organized by Positive Tecnologies, was held on 23-24 May in Moscow. About 5,000 experts took part in this event. They discussed the major trends and challenges of data protection. This year one of the main problems analysts call the development of IoT — Internet of Things. The correspondent of Realnoe Vremya attended the event.
Analysts predict that by 2025 the main users of the world wide web will be not people but smart devices. For example, smart TVs and multicookers with Wi-Fi control, surveillance cameras and elements of smart home. The experts of Positive Technologies have made the top 5 most dangerous for the user devices with access to the Internet.
First and foremost, it is the heart of the entire home network — Wi-Fi — or 3G-4G-router. The experts find up to 10 vulnerabilities monthly in these devices. Developers, in their turn, are not in a hurry to eliminate them — in the pursuit of cheap devices the router firmware may not non-updated, and manufacturers save on testing and security.
However, the most vulnerable element of the router remains the user. How the experts of Positive Technologies have found out, 15 out of 100 devices have passwords never changed from factory ones. So, anyone can to get into its ''brain'' and to program to any action.
Surveillance cameras are no less vulnerable. These devices to a greater extent jeopardise businesses. About 90% of devices used by small and medium enterprises have critical vulnerabilities. A hacker can get access to cameras to watch offices almost without any effort.
Navigation and wireless control have also proved to be a good target for hackers. To demonstrate this, the experts of Positive Technologies decided to play magicians — they set the clocks on the cell phones right in the pockets of the audience and set fake GPS coordinates, confusing phone navigation. If today navigator failures, by and large, threaten only the unmanned aerial vehicles, then for the unmanned vehicles, a hacker can do a lot of troubles. Reseting the time and date invalidates the security certificates of the sites, opening opportunities for cyber attacks.
Continuing tricks, the security experts intercepted a signal of the wireless keyboard. Earlier, the hackers used keyloggers that recorded all keystrokes and sent to the owner. With the development of wireless keyboards this can be made by an operator sitting at a distance of up to several hundred meters. Besides, the cheapness of the equipment — about 300 roubles — threatens mass spying.
''Generals always prepare for next war. Internet of Things is only a consequence of the problem. The main problem is technological debts accrued by IT-companies. The first victim of the race for the price is security, companies sacrifice it in the attempt to create a competitive price,'' says QRator Labs chief engineer Artem Gavrichenkov.
Artem Gavrichenkov: ''Generals always prepare for next war. Internet of Things is only a consequence of the problem. The main problem is technological debts accrued by IT-companies''
The experts intend to patch a hole in security starting with ''the head''. No action will save the user that they do not change the password of the router and not stop clicking through suspicious links. Besides, experts say, the state should develop standards for certification of sales devices, which would include requirements for the necessary level of security.
WannaCry: how many times people have been warned
The presentation with such name was voiced by the head of investigation department of cybercrimes of Positive Technologies company Alexey Novikov. The crypto ransomware WannaCry is just one in the list of hundreds of such programs known to the humankind. A virus that encrypts the data or posts unremovable banners on the screen demanding money for ''treatment'' of the computer is almost the same age as the Internet.
WannaCry has become known only because of its wide geographical coverage and the scale of the attack. Interestingly, the beneficiaries of the programme did not even write it, they just found on the Internet and spread it. The vulnerability exploited by the virus was known back in March. It affected those users who did not update their computers properly.
''In general, the initial vector of the spread using the vulnerable port on the perimeter is a very simple, very easy way. Nothing hindered the attacker to complicate the exploit and… infect even those organizations that have the perimeter secured,'' said Alexei Novikov.
Aleksey Novikov: ''Honestly, I doubt that the attacker would cash the money. I think the goal was not money, otherwise he would have come up with a more sophisticated mechanism.''
For this reason, the expert doubts that the purpose of spreading the ransomware was the money. Answering the question whether it will be difficult to cash the money received by the hacker, Alexey Novikov suggested that, oddly enough, hardly anyone would do that:
''Honestly, I doubt that the attacker will cash the money. I think the goal was not money, otherwise he would have come up with a more sophisticated mechanism. We have previously observed cases where the attackers used this vulnerability, but their activity was limited to the use of computing capacities of servers. The attackers have earned a lot more than using WannaCry and even withdrew the money. In general, it possible to monetize, but in the case of WannaCry I doubt it,'' concluded the reporter.
During the forum, there have repeatedly been voiced the argument ''There is no patch from human negligence''. Acronis, the company that offers users a cloud-based solution for data protection, set out to refute it. The essence of solutions is that the product of the company periodically makes backups, which you can use to recover the data on your computer and smartphone before the moment of infection, even up to the icons on your desktop. In addition, the program includes the feature that detects RansomWare at the time of infection and inhibit its spread.
''WannaCry infection statistics has shown that companies themselves neglect the software updates. The extra patch was released back in March. It has been quite some time since March. Those companies suffered that did not or did not want to upgrade for some reason… The main problem is particularly the mindset, in responding to the news, leaks, trends in the organization of internal IT services and information security,'' said the manager of the division of standardization and risk management of the company Acronis Yuliya Omelyanenko.
Yuliya Omelyanenko: ''WannaCry infection statistics has shown that companies themselves neglect the software updates''
One of the main tools of spreading malicious software in general, the experts call social engineering. It is the use of standard patterns of human behaviour, with the help of which the criminals convince the user to download malware voluntarily to the computer. How many times in the last month you have received an e-mail, where a fake grandmother left you an inheritance at one million dollars that you can receive by clicking a link? Or tried to download ''free of charge, without registration and SMS'' a book from a suspicious website. And SMS with the offer to see your photos through a suspicious link?
It is possible to fight the social engineering by increasing the technical literacy of staff, believes Yuliya Omelyanenko:
''A person who is less technically savvy will be the target for attacks.''
While the speakers were talking about cyber-security, in a separate room there was a real battle for the city between representatives of the hacker elite and IT security services. The hackers were given a cardboard and plastic settlement with hundreds of virtual residents, vehicles, factories, traffic lights, shopping centre, power plant, banks and railways. The same systems managed the city that can be found in a big city, the layout was needed only for illustrative purposes.
The hacker's goal was to earn as much play money as possible. For example, one of the teams intercepted an SMS of the mayor of the city, which contained incriminating evidence, in the result it earned 150,000 ''publes''. The team Hack.ERS stole the money of users of SIP telephony: having hacked accounts, the hackers gained money through paid calls on short numbers.
The ''attackers'' managed to stop the power plant and refineries. Having hacked the corporate network, hackers revealed the controllers that the organization uses and stopped the work of enterprises. The fault was the negligence of the organization managers, which was discussed at the meeting on IoT: the Wi-Fi router was protected by a default password that had not been removed by administrators. The vulnerability, a removal of which would take a minute for a sysadmin, brought down the whole industrial complex. The hackers shut off the power supply to CHP, it ceased to serve steam to the refinery, due to which it also stopped.
Under cover of night, the hackers committed a grand theft: the stole from the bank nearly 4 million ''publes''. They stole user data, which allowed to crack the system of remote banking services. Another team of hackers used the compromised bank card data, withdrawing from each 10 ''publes''. In reality, such an attack would left unnoticed, but would bring the attackers income. A large theft, in its turn, led to an economic crisis, forcing the organizers of the contest to do additional share issue of ''publes''.
PHDays organizers made a caveat that the model of the city represents an ideal system for hackers. In reality, the attackers have less resources and security specialists have more opportunities. However, such model was enough to make it clear: the modern hacker can do a lot of troubles by cracking the banking system, de-energizing the entire city or creating chaos in transport.
Internet of Things also creates a new threat when the smart home can turn against his master. Look around you — perhaps, your fridge and your coffeemaker are already preparing a conspiracy against you?