Posted on August 18, 2021 at 2:27 PM
Hackers threaten 83 million smart devices
Smart devices like baby monitors and smart cameras, among others, face a threat from hackers who have now found ways to access them. These smart devices are no longer private, with hackers accessing them to listen and be part of real-time conversations and videos transmitted by these smart devices.
The United States Cybersecurity and Infrastructure Agency, in collaboration with Mandiant, have discovered that access to these smart devices is made possible because of the vulnerabilities they present. According to the report, more than 83 million smart devices have been affected, giving the hacking actors the ability to listen in on conversations and watch live delivery feeds from the smart cameras and baby monitors.
According to Mandiant, this vulnerability threatens the security and privacy of the owners of these smart devices. The case becomes more serious after discovering that this vulnerability goes beyond the traditional “capture password” mode of operation that hackers are fond of. While UK security services previously had to caution users against using default passwords, the latest discovery has revealed that even devices that do not support default passwords are potential victims of this new attack.
Similar discoveries and how the hackers do it
Before the report on the series of attacks against the 83 million smart devices, there was a warning passed by ThroughTek that users of smart devices should update their software to prevent hackers from gaining access to their private information as transmitted through the devices.
Other vulnerabilities have been discovered where hackers could access the smart devices from a remote location and spy on the users. One similar case was on Nozomi Networks’ Kalay Protocol, where attackers accessed the surveillance network to hijack footage.
Mandiant investigators discovered what leads to these attacks, terming it as “Manipulator in the middle” (MiTM). Targeting the Kalay protocol, the hackers discover how to hack into the smart devices stationed in users’ homes and watch videos from their surveillance or listen to their conversations.
In this discovery, it is clear that the attackers first access the 20-byte identifier unique to individual users. This means that they cannot exploit the vulnerability randomly. The unique identifier (UID) is given to individual customers who use Kalay-enabled devices such as smart cameras in their homes.
Supposing a hacker knows the unique identifier of one of the devices in your house, they would have done so by using malware that accessed your home network. The attacker would then gain access by pretending that they are your device short-term and re-signing themselves up using the Kalay network.
Simply put, the hackers who attack the smart devices can do so because your device signs itself up with a specific network during the first installation and gets a UID along with authentication credentials. When hackers access these credentials, potentially through malware, they can easily access the data related to your UID and use it to access your smart device from a remote location.
Rules for smart devices that users should know
The UK government released the Product Security and Telecommunications Infrastructure Bill that contains important rules that every smart device user must know. During the Queen’s speech, the regulation was announced by Matt Warman to ensure buyers do not fall victim to hackers because of software vulnerabilities.
This law adjustment aimed to ensure that shoppers remain conscious of the duration within which the smart products they purchase are supported with important security updates. Buying a device that features security updates enhances safety from hackers as these products are not easy to break into.
The first rule in the list entails that sellers must inform customers at the point of sale about the length of time the smart devices will receive security software updates. Another rule was that using weak universal default passwords like the conventional “admin” that manufacturers are prone to would be prohibited. Finally, the manufacturers would have to establish a physical access location where users can report security vulnerabilities in their smart devices.
Mandiant investigators want users to know that system security updates for their smart devices is very important because it ensures that hackers are unable to keep up with your credentials. Once attackers know the unique identifier that distinguishes your device, they can easily re-register with the network your smart device uses.
With network access, the attacker would only have to provide you with different authentication credentials. This way, they begin getting the same video access and tap into your live feed to watch your real-time movements or listen to your conversations in your house when they are miles away.