Computers,
phones
, webcams,
WiFi
routers ,
bluetooth
headsets .
Smart
devices
are so commonplace in our daily lives that it is hard for us to imagine life without them.
And yet, these can represent
a problem
for the security of our personal data.
The thing with hyper-connectivity is that while it solves a lot of our activities, it also expands what
's called the attack surface
– the amount of digital “space” criminals have to commit cybercrime.
According to the latest IoT Analytics report from Palo Alto Networks, the number of connected
Internet of Things (IoT)
devices reached 12.3 billion last year and is expected to exceed
27 billion connections
by 2025.
This trend continues on a steady rise: “By 2023, we will see an increase in the coordinated activity of the physical and cyber environments targeting critical infrastructure.
In the private sector, the security of users' physical devices against coordinated attacks that take advantage of IoT (Internet of Things) and OT (operations technology) systems will be a key concern.
“IoT connectivity has become one of the most used tools today: they already represent
more than 50% of devices connected
to the Internet worldwide.
But this entails risks and some threats that can harm not only our equipment, but also our
privacy
”, says Arturo Torres, threat intelligence strategist for Fortinet's FortiGuard Labs in Latin America and the Caribbean.
In this sense, there are a number of devices and practices that can pose a threat to users: from giving permission to
"third party"
applications , connecting via bluetooth or an insecure WiFi network, to dangerous webcams and "clouds", these are the risks that various experts warn.
"Third Party" App Permissions
Many apps ask for "extra" permissions, which they don't really need.
AFP photo
Third party permissions ("third parties") come into play when we
authorize
an application to use our data that may be sensitive, such as our contact book, camera or location.
“Most IoT devices require the end user to download and install an application on their mobile phone for their control.
Many of these applications request
unnecessary permissions
for the nature of the device in question”, explains Emmanuel Di Battista, a security analyst, to Clarín.
Let's take an example: smart lamps that can be regulated with an app.
These are connected to the WiFi of the house.
“It is common for them to request the user's location, when, logically, the user cannot be in another location that is not close to the device;
or the request for access to the mobile camera -with the idea of "scanning" QR codes in the box of the lamp-, or even to send notifications", he develops.
This is potentially dangerous and, in most cases, unnecessary.
“Most users blindly agree to grant all requested permissions in perpetuity.
Many of these platforms also require the user to register to 'enroll' their devices, providing even more personal information,” she adds.
In this case, it is better to deny all permissions that are not strictly necessary.
Bluetooth: the risks
Bluetooth is very convenient, but it can be a threat.
Photo EFE
“Bluetooth was historically one of the protocols with the highest adoption but also with the
greatest number of vulnerabilities
.
Taking into account that it is a protocol used by a large number of devices (intelligent or not), these failures tend to compromise many manufacturers and models of the most varied devices”, analyzes the expert.
There is even a vulnerability known since 2017: "This is
BlueBorne
, a type of attack that chains 8 bluetooth protocol vulnerabilities in order to
execute arbitrary instructions
on the victim's device without the victim having any interaction in the process (what is called
known as zero-click)”, he comments.
Executing an arbitrary instruction implies that a hacker can take control of our device.
“This attack - as expected - affected different operating systems and devices alike.
Among these affected devices were the most popular digital assistants of the moment:
Google Home and Amazon Alexa
.
By abusing this vulnerability, an attacker could send arbitrary commands to these devices”, he concludes.
Thus, apparently innocent devices that connect via Bluetooth, such as home assistants, can be
a weapon for cybercriminals.
Webcams, a highly sought after target
"Creepware", a type of malware that intercepts cameras.
Photo Shutterstock
Webcams
can
be a target of attack.
In this case, the invasion of privacy can be enormous if a hacker manages to gain remote access to it.
Considering that they are not only in computers, but also in building entrances, houses and even private home environments, it is a gadget that can turn
against the user with relative ease.
"It is advisable to acquire
brands that are recognized
, because these brands generally have a certain type of process for vulnerabilities, failures, continuous updates that can help you avoid some type of information theft or attack," warns Torres from FortiGuard Labs.
It also insists on the
passwords
, in this case, of the systems in which we are going to install or use a webcam integrated into the equipment.
"It is always recommended that these devices have strong passwords, since if we have them by default, anyone can access them."
WiFi networks
The access points of places to do coworking can be unsafe.
Photo: Shutterstock
One of the biggest problems has to do with
connections to public Wi-Fi networks
.
These carry a risk as you cannot be sure whether the connection between the device and the modem is secure.
It is very common to go to a cafe and connect the computer or the phone.
Or even in co-working spaces like WeWork.
However, it should be noted that it is not safe to connect to any available network and, if you do, you should be careful.
insecure clouds
"Clouds" are huge data centers that store all of our information once we upload it.
Photo Pexels
The so-called “
cloud
”, that is, the use of computing resources from other companies such as
AWS, Azure and Oracle,
implies an implicit trust in the systems of these companies.
However, they may have security holes and
vulnerabilities
.
In this sense, it is convenient to use the best known ones to ensure that they have infrastructure behind them and, above all, have good
backups
of the information that we upload.
The following problem is related to this point.
Exposed or unprotected databases
Alexa, one of the most used IoT devices in the world.
photo nyt
“Many smart devices use
data storage in the cloud
that does not comply with the best security and privacy practices, many times publicly exposing the information of their users”, warns Di Battista.
Of course, according to each device, the potentially leaked information is different: it always depends on what accesses the device has.
“Depending on the nature of the artifact, the information that can be leaked varies: the
user's physical
location ,
passwords
used in the service platform or even device usage data such as
audio and/or video
recordings ,” he explains.
In 2019, he says,
2 billion records from the Chinese company Orvibo
were discovered in an insecure database and publicly exposed to the internet.
"These records contained user passwords, password change confirmation codes (
tokens
), and even smart camera recordings."
All IoT devices are liable to expose databases: the more online technology is used, the larger the attack surface.
The responsibility of the companies
Google, Amazon, Facebook (Meta), Apple and Microsoft, the tech that control the digital world.
Photo: Shutterstock
Finally, it is worth reviewing the responsibility of companies that manufacture smart devices.
“
Companies have the obligation
to comply with the laws of each country in which they operate that have to do with the data protection of its citizens, who will be users of these services”, explains Carolina Martínez Elebi, a graduate in Communication from the University from Buenos Aires and founder of DHyTecno.
“The protection of privacy also involves the
security of the information
they handle.
This, as has been seen in recent years, is being increasingly violated even in large companies that one would expect to have a more robust development of information security, ”she criticizes.
In this sense, Elebi differentiates between the violation due to negligence and the design of products and apps: “Some are violated due to the negligence of the person who administers and manages the stored data.
In other cases, the privacy of the users
is not directly respected
because this invasion of privacy is part of the business model itself and, if they find a way to overcome the legal barriers, they will do so”.
Under this scenario, the expert advises having digital hygiene when using these devices and, above all,
configuring them.
Although, from now on, the user has more to lose: "In principle, before buying a new electronic device or using a new service, it is important to think that for each thing we use, we are going to have to accept the conditions that the companies that provide that gadget or that service that we are going to use.
The margin that we have as users to decide what these conditions will be like is very little, ”she reflects.
“Some apps ask us to give them permission to access the
camera, microphone, address book, location
, among other things, and this is not always something you need to work.
So, do we want to give permissions and access to our entire phone just to play a game for a few minutes?
Many people consider that it is,
without analyzing what that implies
, and that was what the Cambridge Analytica company took advantage of when it wanted to collect data from Facebook users for political campaigns in various countries”, he closes, in line with the warnings from the experts. in computer security.
Regarding the technical aspect, Torres closes with 2 pieces of advice: "It is always advisable to have all the IoT devices in
a totally isolated network
from the operational one or even from the guest one, so that only they can live there, separated, and in case of some
data breach
[filtration], that cannot get out of control.”
“The other point is to keep these devices always up to
date
: it is necessary to have some kind of strategy where the same vendor or manufacturer has the ability to update them, send some kind of report or, in the worst case, notify the user if suffered a data leak ”, closes Torres.
SL
look also
Email scams and account theft: seven steps to prevent cyberattacks
How to shield yourself against cyberattacks: from the "digital condom" to FIDO keys and encrypted disks