The vulnerable Internet of Things

A new study by Kaspersky Lab showed how insecure smart devices really are. We explain how to cope.

The Internet of Things has yet to become a beacon of information security

Numerous smart watches, coffee makers, vacuum cleaners, and even cars are now part of what is called the Internet of Things (IoT), a catch-all term for the connected devices we’re growing to love and rely on. At least in theory, the IoT should make our lives simpler and more convenient; hence its rising popularity.

However, there’s a flip side: security. Unfortunately, manufacturers are not overly concerned with the security of Internet-connected devices, so almost any “smart” device is vulnerable and thus potentially dangerous. Kaspersky Lab investigated what threats are lurking in the IoT.

Is the IoT dangerous?

IoT devices often have weak security that is very easy to bypass. Criminals are only too happy to take advantage: The number of malicious programs attacking the IoT has more than doubled this year. Worldwide, smart devices now number 6 billion, and many of them are vulnerable, making them a juicy prospect for intruders.

Hacked IoT devices can be used for DDoS attacks, channeling the combined power of lots of, say, Wi-Fi routers to flood and cripple a server. That was exactly what the infamous Mirai botnet did, for example, when it took down dozens of the world’s largest Web services nearly a year ago.

It’s not only botnets that make use of Internet-connected smart devices. For example, having hacked into a smart webcam, an attacker can start spying on its owner. Nothing is sacred in the IoT, and even children’s toys are not immune. Cybercriminals can exploit an unprotected Bluetooth connection to speak to a child in the guise of his or her favorite Furby or teddy bear, or spy on your youngster with the help of a doll.

Last but not least, some criminals simply break IoT devices, putting them out of operation. That was the modus operandi of the BrickerBot worm. Attacked gadgets simply turned into dumb plastic and metal.

Know your enemy

Kaspersky Lab decided to perform a vulnerability check of eight smart things: a smart charger, an app-controlled and webcam-equipped toy car, a receiver–transmitter for smart-home systems, a smart scale, a vacuum cleaner, an iron (yes, a smart iron!), a camera, and a watch.

The results were not encouraging. Of the eight devices only one proved to be secure enough, while the remaining gizmos did not boast reliable protection. Many of them used weak default passwords, which in some cases couldn’t even be changed, and others left confidential information open to interception.

Among the other smart things our experts examined was a popular “spy” toy — a phone-app-controlled car with a built-in camera. Connecting to the phone didn’t even require a password, so the car could be controlled by absolutely anyone. This spy-on-wheels can record sound and video, allowing criminals to amass blackmail material and more on the gadget’s owner.

How to live in the IoT world

Here’s what we advise to stay secure when using smart devices:

Weigh the pros and cons before buying. Look for information about previous attacks on the gadget you’re interested in. Perhaps some hacking stories have already surfaced on the Internet.

Always change the default password to something more complex. If the device doesn’t let you change the password, reconsider whether you really need it.

If you still want to buy the device, think about ways to lessen the risks of attack. Kaspersky Lab has released a beta version of Kaspersky IoT Scanner, a free security solution for smart gadgets. Kaspersky IoT Scanner checks your home Wi-Fi network, determines which devices are connected to it, and tells you whether they are securely protected.

Tips