Connected devices – just who are you connecting with?

The first robotic vacuums hit the market back in 1996. Since then, their popularity has skyrocketed. There are millions of units in homes and businesses around the globe. Many of the devices tap into the functionality afforded by the Internet of Things (IoT) to enable the robovacs to boast features like scheduling and programming via a smartphone app so they can clean while the user is out, allow the user to view a virtual map to track the bot’s progress, and set up cleaning zones. With that functionality, owners can expect convenient cleaning. What they don’t expect is for the robovac to menace pets and shout racial slurs!

That is precisely what happened recently in the US. A threat actor hacked the system and took remote control of several Ecovacs Deebot X2s, then used the live camera feed and remote control feature to wreak havoc.

The robovac hack was not an isolated incident.

In recent years Ring doorbells and home monitoring systems have been hacked. Threat actors were able to access live feeds from the cameras around owners’ homes and were even able to communicate remotely using the devices’ integrated microphones and speakers to harass the owners.

The vulnerability of wireless security cameras being hacked promoted Australian cyber security firm AUCyber to issue an urgent warning in October 2024 about devices with weak or even default passwords being accessed by Russian hackers and the content being streamed around the world.

Of course, there have been incidents where a connected device has been a life saver – in some incidents, quite literally. There have been several reports of Apple Watches detecting health issues like blood clots and irregular heartbeats, and even calling an ambulance when a wearer fell off a ladder.

90% of Australians use smart devices

Connected smart devices have become ingrained in both personal and professional networks – with ‘smart’ technology used in everything from a smartwatch to a car with embedded sensors, smartphones, smart appliances, smart thermostats, smart fire alarms…the list is endless.

There are more smart devices on Earth than there are people. By 2025, there are expected to be some 75 billion IoT devices active. Statista data reveals the global IoT market is set to grow 64.65% (US$612.5 billion) between 2024 and 2029 to reach US$1.6 trillion.

In Australia, only 10% of households do not have any smart home devices, according to Statista. The research found 84% of homes used smart devices for entertainment (e.g. Bluetooth speakers, smart TVs, streaming devices), 34% used smart appliances (e.g. robot vacuums, smart microwave, fridge), 33% used devices for building safety/security (e.g. connected smoke detectors, cameras), 31% used devices for electricity or lighting (e.g. smart plugs, connected lightbulbs), 23% for energy management (e.g. connected thermostats, temperature sensors), and 23% used smart speakers with an integrated virtual assistant (e.g. Amazon Echo). In 2021, there was an average of 20.5 internet-connected devices per household in Australia. This number is forecast to reach 33.8 by 2025, with the strongest growing segments being smart security, smart outlets, and smart garden devices.

83 million IoT devices at risk of hacking

IoT is the network of intelligent devices which can sense and interact with each other over the internet; the interconnection of everyday objects embedded with technology, such as sensors, software, and processing units, that allow the exchange of data via the internet or other communications networks.

While there are many advantages to interconnected devices – connecting technology, driving business insights, powering innovation, and improving people’s lives – there are also downsides. Chief among these are cybersecurity issues. Like every internet-enabled technology, smart devices are vulnerable to cyberattacks.

According to cybersecurity company Mandiant, at least 83 million IoT devices around the world could be at risk of hacking, potentially enabling threat actors to listen in on private conversations and watch live video streams from devices such as baby monitors and smart cameras.

In most cases, to access the features of the device, users need to hand over their personal data. The problem with this is that many IoT devices are not securely configured by default and, due to their embedded nature, they are not regularly patched. Any network vulnerabilities can be exploited by threat actors and targeted by malware. Cybercriminals could use gaining access to a device to infiltrate other devices that connect to Wi-Fi and steal personal and private information such as credit card data, confidential emails and more.

Devices can be hijacked, steal private data, and be used for spying

Cybersecurity experts have noted that everyday household amenities – like voice-activated home assistants, webcams, smart TVs, smartphones, smart watches, wireless earbuds and smart home devices and IoT – capture details of people’s activities and share them with data giants like Google, Amazon, Facebook, and TikTok, allowing the online services to create a profile and target users with ads on smartphones, computers and tablets, according to Nord VPN.

Cybercriminals can hack almost all devices that have a camera, a microphone or an internet connection. The data collected could be accessed by threat actors and used for fiendish and criminal purposes. For example, there is a risk that personal pictures or information could be exposed or used for extortion.

AUCyber notes cybercriminals are compromising business and personal data via security cameras, as well as to generally invade a victim’s privacy. The company also warns compromising a security camera could also lead to physical risks to businesses and individuals.

Move over MI6, air fryers are the latest spies

UK consumer watchdog Which? has found evidence of excessive smart device surveillance – from air fryers demanding permission to listen in on conversations and sharing data with TikTok, to TVs wanting to know users’ exact locations at all times.

When it came to air fryers, in addition to wanting to know a user’s precise location, some appliances wanted permission to record audio on the user’s phone. Apps linked to the air fryers were connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user). Some appliances also wanted to know gender and date of birth when setting up an owner account, and some sent people’s personal data to servers in China.

Which? also found that smartwatches required privacy consent to work properly and some requested ‘risky’ phone permissions. Risky is defined as giving invasive access to parts of someone’s phone such as precise location, ability to record audio, access to stored files or an ability to see all other apps installed.

Smart TVs were found to require precise locations, some also requested risky phone permissions, and some used trackers. Trackers were also found to be prevalent among smart speakers.

The research highlights that manufacturers are able to collect excessive data from users, often with little transparency about its intended use.

If the devices are compromised, there is the possibility that threat actors will gain access to and exploit private data.

400% increase in malware attacks against IoT devices

IoT devices are particularly vulnerable to network attacks such as data thefts, phishing attacks, spoofing, and denial of service attacks (DDoS attacks). These, in turn, can lead to other cyber security threats like ransomware attacks and serious data breaches.

IT consultancy Conosco notes 84% of surveyed companies reported an IoT security breach, and the University of Central Florida notes that the average household is hit with 104 threats each month.

The ZscalerTM ThreatLabz 2023 Enterprise IoT and OT Threat Report revealed malware attacks against IoT and operational technology (OT) devices had increased four-fold between 2022 and 2023.

Even devices without cameras, like smart fridges and washing machines, are being targeted by threat actors. According to Gartner, 40% of smart home appliances globally are being used for botnet attacks.

A botnet is a form of malware that can infect appliances and be used by hackers to perform attacks via the web. An IoT botnet is a network of devices connected to the IoT (usually routers) which have been infected by malware (IoT botnet malware) and are in the control of threat actors. IoT botnets are known for being used in launching DDoS attacks on target entities to disrupt their operations and services.

Back in October 2016, an insecure IoT device-driven DDoS attack took down much of the internet along the east coast of the US. Hackers used everyday household appliances as weapons. The Mirai malware scanned big blocks of the internet for open Telnet ports, then attempted to log in default passwords – amassing a botnet army from all the compromised devices. Once infected and configured, the IoT device can be controlled from command and control (C2) servers. After amassing thousands of infected devices, these C2 servers tell the devices what to attack. The Mirai botnet was largely made of IoT devices, and with so many internet-connected devices to choose from, the attack was much larger than what most DDoS attacks could previously achieve. At its peak, Mirai infected over 600,000 vulnerable IoT devices, according to Cloudflare researchers. Botnets, such as Mirai, focus on infecting as many devices as possible, which is made even more possible with the lack of security within IoT devices.

Protecting smart devices

Tips to reduce the risk of IoT devices being compromised include:

  • Use unique and strong passwords for both devices and wider Wi-Fi networks.
  • Segment the network – place all IoT devices on a separate network to critical systems.
  • Always change admin credentials when receiving new smart hardware.
  • Keep device firmware up-to-date.
  • Keep operating systems and application software up-to-date.
  • Disable unnecessary features like built-in cameras and microphones.
  • Use and maintain anti-virus software.
  • Use anti-malware tools.
  • Enable multifactor authentication (MFA) wherever possible.
  • Use encryption on devices where data is being transmitted, processed and collected in the cloud.
  • Be mindful of what information is shared with the device – check permissions, deny access, delete recordings, read the privacy notices.

With the number of smart devices continuing to grow, the risk of the devices being hacked and used for malicious and illegal purposes is also growing. If you use IoT connected devices, whether in your home or business, in addition to improving security, you should talk with your EBM Account Manager about cyber insurance and how a policy may respond in the event of a cyberattack.