The Limited Times

Now you can see non-English news...

Cell phones, PCs, smart TVs and more: the 6 entry routes that expose your devices to a cyber attack

2023-02-07T10:19:49.366Z


The more connectivity, the more risk. What are the most common attacks from IoT equipment and how to defend yourself.


Computers,

phones

, webcams,

WiFi

routers ,

bluetooth

headsets .

Smart

devices

are so commonplace in our daily lives that it is hard for us to imagine life without them.

And yet, these can represent

a problem

for the security of our personal data.

The thing with hyper-connectivity is that while it solves a lot of our activities, it also expands what

's called the attack surface

– the amount of digital “space” criminals have to commit cybercrime.

According to the latest IoT Analytics report from Palo Alto Networks, the number of connected

Internet of Things (IoT)

devices reached 12.3 billion last year and is expected to exceed

27 billion connections

by 2025.

This trend continues on a steady rise: “By 2023, we will see an increase in the coordinated activity of the physical and cyber environments targeting critical infrastructure.

In the private sector, the security of users' physical devices against coordinated attacks that take advantage of IoT (Internet of Things) and OT (operations technology) systems will be a key concern.

“IoT connectivity has become one of the most used tools today: they already represent

more than 50% of devices connected

to the Internet worldwide.

But this entails risks and some threats that can harm not only our equipment, but also our

privacy

”, says Arturo Torres, threat intelligence strategist for Fortinet's FortiGuard Labs in Latin America and the Caribbean.

In this sense, there are a number of devices and practices that can pose a threat to users: from giving permission to

"third party"

applications , connecting via bluetooth or an insecure WiFi network, to dangerous webcams and "clouds", these are the risks that various experts warn.

"Third Party" App Permissions

Many apps ask for "extra" permissions, which they don't really need.

AFP photo

Third party permissions ("third parties") come into play when we

authorize

an application to use our data that may be sensitive, such as our contact book, camera or location.

“Most IoT devices require the end user to download and install an application on their mobile phone for their control.

Many of these applications request

unnecessary permissions

for the nature of the device in question”, explains Emmanuel Di Battista, a security analyst, to Clarín.

Let's take an example: smart lamps that can be regulated with an app.

These are connected to the WiFi of the house.

“It is common for them to request the user's location, when, logically, the user cannot be in another location that is not close to the device;

or the request for access to the mobile camera -with the idea of ​​"scanning" QR codes in the box of the lamp-, or even to send notifications", he develops.

This is potentially dangerous and, in most cases, unnecessary.

“Most users blindly agree to grant all requested permissions in perpetuity.

Many of these platforms also require the user to register to 'enroll' their devices, providing even more personal information,” she adds.

In this case, it is better to deny all permissions that are not strictly necessary.

Bluetooth: the risks

Bluetooth is very convenient, but it can be a threat.

Photo EFE

“Bluetooth was historically one of the protocols with the highest adoption but also with the

greatest number of vulnerabilities

.

Taking into account that it is a protocol used by a large number of devices (intelligent or not), these failures tend to compromise many manufacturers and models of the most varied devices”, analyzes the expert.

There is even a vulnerability known since 2017: "This is

BlueBorne

, a type of attack that chains 8 bluetooth protocol vulnerabilities in order to

execute arbitrary instructions

on the victim's device without the victim having any interaction in the process (what is called

known as zero-click)”, he comments.

Executing an arbitrary instruction implies that a hacker can take control of our device.

“This attack - as expected - affected different operating systems and devices alike.

Among these affected devices were the most popular digital assistants of the moment:

Google Home and Amazon Alexa

.

By abusing this vulnerability, an attacker could send arbitrary commands to these devices”, he concludes.

Thus, apparently innocent devices that connect via Bluetooth, such as home assistants, can be

a weapon for cybercriminals.

Webcams, a highly sought after target

"Creepware", a type of malware that intercepts cameras.

Photo Shutterstock

Webcams

can

be a target of attack.

In this case, the invasion of privacy can be enormous if a hacker manages to gain remote access to it.

Considering that they are not only in computers, but also in building entrances, houses and even private home environments, it is a gadget that can turn

against the user with relative ease.

"It is advisable to acquire

brands that are recognized

, because these brands generally have a certain type of process for vulnerabilities, failures, continuous updates that can help you avoid some type of information theft or attack," warns Torres from FortiGuard Labs.

It also insists on the

passwords

, in this case, of the systems in which we are going to install or use a webcam integrated into the equipment.

"It is always recommended that these devices have strong passwords, since if we have them by default, anyone can access them."

WiFi networks

The access points of places to do coworking can be unsafe.

Photo: Shutterstock

One of the biggest problems has to do with

connections to public Wi-Fi networks

.

These carry a risk as you cannot be sure whether the connection between the device and the modem is secure.

It is very common to go to a cafe and connect the computer or the phone.

Or even in co-working spaces like WeWork.

However, it should be noted that it is not safe to connect to any available network and, if you do, you should be careful.

insecure clouds

"Clouds" are huge data centers that store all of our information once we upload it.

Photo Pexels

The so-called “

cloud

”, that is, the use of computing resources from other companies such as

AWS, Azure and Oracle,

implies an implicit trust in the systems of these companies.

However, they may have security holes and

vulnerabilities

.

In this sense, it is convenient to use the best known ones to ensure that they have infrastructure behind them and, above all, have good

backups

of the information that we upload.

The following problem is related to this point.

Exposed or unprotected databases

Alexa, one of the most used IoT devices in the world.

photo nyt

“Many smart devices use

data storage in the cloud

that does not comply with the best security and privacy practices, many times publicly exposing the information of their users”, warns Di Battista.

Of course, according to each device, the potentially leaked information is different: it always depends on what accesses the device has.

“Depending on the nature of the artifact, the information that can be leaked varies: the

user's physical

location ,

passwords

used in the service platform or even device usage data such as

audio and/or video

recordings ,” he explains.

In 2019, he says,

2 billion records from the Chinese company Orvibo

were discovered in an insecure database and publicly exposed to the internet.

"These records contained user passwords, password change confirmation codes (

tokens

), and even smart camera recordings."

All IoT devices are liable to expose databases: the more online technology is used, the larger the attack surface.

The responsibility of the companies

Google, Amazon, Facebook (Meta), Apple and Microsoft, the tech that control the digital world.

Photo: Shutterstock

Finally, it is worth reviewing the responsibility of companies that manufacture smart devices.

Companies have the obligation

to comply with the laws of each country in which they operate that have to do with the data protection of its citizens, who will be users of these services”, explains Carolina Martínez Elebi, a graduate in Communication from the University from Buenos Aires and founder of DHyTecno.

“The protection of privacy also involves the

security of the information

they handle.

This, as has been seen in recent years, is being increasingly violated even in large companies that one would expect to have a more robust development of information security, ”she criticizes.

In this sense, Elebi differentiates between the violation due to negligence and the design of products and apps: “Some are violated due to the negligence of the person who administers and manages the stored data.

In other cases, the privacy of the users

is not directly respected

because this invasion of privacy is part of the business model itself and, if they find a way to overcome the legal barriers, they will do so”.

Under this scenario, the expert advises having digital hygiene when using these devices and, above all,

configuring them.

Although, from now on, the user has more to lose: "In principle, before buying a new electronic device or using a new service, it is important to think that for each thing we use, we are going to have to accept the conditions that the companies that provide that gadget or that service that we are going to use.

The margin that we have as users to decide what these conditions will be like is very little, ”she reflects.

“Some apps ask us to give them permission to access the

camera, microphone, address book, location

, among other things, and this is not always something you need to work.

So, do we want to give permissions and access to our entire phone just to play a game for a few minutes?

Many people consider that it is,

without analyzing what that implies

, and that was what the Cambridge Analytica company took advantage of when it wanted to collect data from Facebook users for political campaigns in various countries”, he closes, in line with the warnings from the experts. in computer security.


Regarding the technical aspect, Torres closes with 2 pieces of advice: "It is always advisable to have all the IoT devices in

a totally isolated network

from the operational one or even from the guest one, so that only they can live there, separated, and in case of some

data breach

[filtration], that cannot get out of control.”

“The other point is to keep these devices always up to

date

: it is necessary to have some kind of strategy where the same vendor or manufacturer has the ability to update them, send some kind of report or, in the worst case, notify the user if suffered a data leak ”, closes Torres.

SL

look also

Email scams and account theft: seven steps to prevent cyberattacks

How to shield yourself against cyberattacks: from the "digital condom" to FIDO keys and encrypted disks

Source: clarin

All tech articles on 2023-02-07

You may like

Life/Entertain 2024-01-27T12:09:02.738Z

Trends 24h

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.