Half a million
smart devices including webcams and baby monitors in the city are currently
vulnerable to cyber attack
Mobile World
Congress, Barcelona, Spain, February 27, 2017
– Avast, the leader in digital security
products for consumers and businesses, today reveals the findings from
its latest research experiment into smart devices, including public and private
webcam vulnerabilities in Spain, and, specifically, in Barcelona. Avast
identified more than 22,000 webcams and baby monitors in the city that are
vulnerable to attack, which means that cybercriminals could livestream the
videos directly to the internet. The findings identified more than 493,000
smart devices in Barcelona and 5.3 million in Spain overall – including smart
kettles, coffee machines, garage doors, fridges, thermostats and other
IP-connected devices – that are connected to the
internet and vulnerable to attacks.
As
webcams and other devices are vulnerable, there are a range of security, legal
and privacy concerns to be addressed. Snoopers could easily access and watch
Mobile World Congress visitors and Barcelona residents in private and public
spaces, and stream the video directly to the internet, or turn the device into
a bot. With hundreds or thousands of vulnerable devices, cybercriminals can
create a botnet to attack and take down servers and websites. When a device is
infected, it can also be used to infect other devices, to add them to a botnet,
or to take control over them and do harm to their owner. This includes kitchen
and other household devices, to which cybercriminals can give remote orders,
for example, to heat up water in a kettle.
Smart
device manufacturers also collect and store private user data, including
behavioral data, contact information, and credit card details, which poses an
additional risk if intercepted by cybercriminals. And while the problem is in
no way confined to Barcelona, Spain, or indeed to webcams, it is particularly
challenging for the city as it is hosting thousands of mobile and technology
industry executives at Mobile World Congress 2017 this week.
In the
experiment, Avast found:
●
More than 5.3 million vulnerable smart
devices in Spain, and more than 493,000 in Barcelona
●
More than 150,000 hackable webcams in
Spain and more than 22,000 in Barcelona
●
More than 79,000 vulnerable smart kettles
and coffee machines in Spain
●
More than 444,000 devices in Spain using
the Telnet network protocol, which is a type of protocol that has been abused
to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of
Internet sites like Twitter, Amazon, Reddit, etc.
Conducted
in partnership with IoT search engine specialists Shodan.io, the experiment
proves just how easy it is for anyone - including cybercriminals - to scan IP
addresses and ports over the Internet and classify what device is on each IP
address. And, with a little extra effort and know-how, hackers can also find
out the type of device (webcam, printer, smart kettle, fridge and so on),
brand, model and the version of software it is running.
“With
databases of commonly known device vulnerabilities publicly available, it
doesn’t take a vast amount of effort and knowledge for cybercriminals to
connect the dots and find out which devices are vulnerable,” comments Vince
Steckler, CEO at Avast. “And even if the devices are password protected,
hackers often gain access by trying out the most common user names and passwords
until they crack it.”
Avast’s
latest research experiment highlights a serious and growing problem which,
unless addressed, will only worsen in line with the increasing number of
devices connected to the Internet.
Vince
Steckler, Avast, continues; “If webcams are set to livestream for example,
hackers or anyone can connect, making it easy for cybercriminals to spy on
innocent Mobile World Congress trade show visitors, or oblivious school pupils,
workers or citizens nearby. That in itself is a privacy minefield, although
what is far more likely is the possibility of a cybercrook hijacking an
insecure webcam, coffee machine or smart TV to turn it into a bot which, as
part of a wider botnet, could be used in coordinated attacks on servers to take
down major websites. In the future, we could also see cases where
cybercriminals harvest personal data, including credit card information from
unsuspected IoT users.”
To be aware of vulnerabilities and secure all
connected devices against unwanted attacks, users need to contribute to making
the online world a safer place by keeping software updated and choosing strong,
complex passwords. Additionally, Avast is soon set to launch a new feature in
its Avast Wi-Fi Finder Android app. Avast Wi-Fi Finder lets users find secure
and high-speed Wi-Fi when on the go. In the new version, the app automatically
will scan Wi-Fi networks for vulnerable devices, and allows users to address
any security issues by providing step-by-step remediation instructions.
Avast
Wi-Fi Finder is available on Google Play at https://play.google.com/store/apps/details?id=com.avast.android.wfinder,
and will be updated with the new scanner feature in summer.
At Mobile World Congress 2017 in Barcelona Avast CEO
Vince Steckler will address IoT risks and show in a live demo how IoT devices
can be infected, and become part of a botnet. His speech will take place on
Wednesday, March 1, from 2:15pm at Fira Gran Via Conference Facility Hall 4,
Auditorium 2.
Avast is discussing mobile and IoT threats, and its
solutions that address these at the congress, in hall 2, booth no. 2G13.