Press releases

Avast Exposes Internet of Things Attack Risk in Barcelona, Home of Mobile World Congress 2017



Half a million smart devices including webcams and baby monitors in the city are currently vulnerable to cyber attack

Mobile World Congress, Barcelona, Spain, February 27, 2017 – Avast, the leader in digital security products for consumers and businesses, today reveals the findings from its latest research experiment into smart devices, including public and private webcam vulnerabilities in Spain, and, specifically, in Barcelona. Avast identified more than 22,000 webcams and baby monitors in the city that are vulnerable to attack, which means that cybercriminals could livestream the videos directly to the internet. The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, coffee machines, garage doors, fridges, thermostats and other IP-connected devices – that are connected to the internet and vulnerable to attacks.

As webcams and other devices are vulnerable, there are a range of security, legal and privacy concerns to be addressed. Snoopers could easily access and watch Mobile World Congress visitors and Barcelona residents in private and public spaces, and stream the video directly to the internet, or turn the device into a bot. With hundreds or thousands of vulnerable devices, cybercriminals can create a botnet to attack and take down servers and websites. When a device is infected, it can also be used to infect other devices, to add them to a botnet, or to take control over them and do harm to their owner. This includes kitchen and other household devices, to which cybercriminals can give remote orders, for example, to heat up water in a kettle.

Smart device manufacturers also collect and store private user data, including behavioral data, contact information, and credit card details, which poses an additional risk if intercepted by cybercriminals. And while the problem is in no way confined to Barcelona, Spain, or indeed to webcams, it is particularly challenging for the city as it is hosting thousands of mobile and technology industry executives at Mobile World Congress 2017 this week.

In the experiment, Avast found:

      More than 5.3 million vulnerable smart devices in Spain, and more than 493,000 in Barcelona

      More than 150,000 hackable webcams in Spain and more than 22,000 in Barcelona

      More than 79,000 vulnerable smart kettles and coffee machines in Spain

      More than 444,000 devices in Spain using the Telnet network protocol, which is a type of protocol that has been abused to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of Internet sites like Twitter, Amazon, Reddit, etc.

Conducted in partnership with IoT search engine specialists Shodan.io, the experiment proves just how easy it is for anyone - including cybercriminals - to scan IP addresses and ports over the Internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.

“With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable,” comments Vince Steckler, CEO at Avast. “And even if the devices are password protected, hackers often gain access by trying out the most common user names and passwords until they crack it.”

Avast’s latest research experiment highlights a serious and growing problem which, unless addressed, will only worsen in line with the increasing number of devices connected to the Internet.

Vince Steckler, Avast, continues; “If webcams are set to livestream for example, hackers or anyone can connect, making it easy for cybercriminals to spy on innocent Mobile World Congress trade show visitors, or oblivious school pupils, workers or citizens nearby. That in itself is a privacy minefield, although what is far more likely is the possibility of a cybercrook hijacking an insecure webcam, coffee machine or smart TV to turn it into a bot which, as part of a wider botnet, could be used in coordinated attacks on servers to take down major websites. In the future, we could also see cases where cybercriminals harvest personal data, including credit card information from unsuspected IoT users.”

To be aware of vulnerabilities and secure all connected devices against unwanted attacks, users need to contribute to making the online world a safer place by keeping software updated and choosing strong, complex passwords. Additionally, Avast is soon set to launch a new feature in its Avast Wi-Fi Finder Android app. Avast Wi-Fi Finder lets users find secure and high-speed Wi-Fi when on the go. In the new version, the app automatically will scan Wi-Fi networks for vulnerable devices, and allows users to address any security issues by providing step-by-step remediation instructions.

Avast Wi-Fi Finder is available on Google Play at https://play.google.com/store/apps/details?id=com.avast.android.wfinder, and will be updated with the new scanner feature in summer.

At Mobile World Congress 2017 in Barcelona Avast CEO Vince Steckler will address IoT risks and show in a live demo how IoT devices can be infected, and become part of a botnet. His speech will take place on Wednesday, March 1, from 2:15pm at Fira Gran Via Conference Facility Hall 4, Auditorium 2.

Avast is discussing mobile and IoT threats, and its solutions that address these at the congress, in hall 2, booth no. 2G13.