CISO Update #53
The Internet of Spooky Things
This month, in recognition of National Cybersecurity Awareness Month and Halloween, we wanted to cover some spooky Internet of Things (IoT) attacks that may lead you to thinking you have a ghost in your house. While we have covered this topic in past updates, recent research has measured the rapidly growing pace of the many ways in which we connect our personal and home devices through IoT. By the end of 2022, the IoT market is anticipated to expand by 18% to 14.4 billion active connections. The most popular home IoT is the home security camera. Ironically, something that is meant to keep your home more secure can lead to some of the most terrifying exposures if not handled correctly.
In 2019, Nest customers reported their smart cameras being taken over by "hackers" who use their access to broadcast terrifying messages that sound similar to an emergency alert warning of an imminent missile strike. The event was described by one family as “five minutes of sheer terror.” Later that year, a Houston couple rushed to their infant’s room when a hacker began screaming over the family’s Nest camera baby monitor that he was going to kidnap their child.
In 2020, an ADT customer noticed an unfamiliar email address connected to her home security account, which led back to an ADT employee who had spied on hundreds of customers over the course of four and a half years—watching them live their private lives—via their video feeds.
Both companies have since remediated the frightening vulnerabilities that led to these security incidents.
The most common way cameras get hacked is through a technique called “credential stuffing.” Hackers exploit usernames and passwords from other data breaches—purchased from other hackers on the dark web.
How can you protect yourself from virtual tricksters who would like nothing more than to help themselves to your data-filled treat dish?
Keep your camera’s firmware and associated apps up to date
Change your devices’ default passwords to something strong and unique
Set up 2FA (two-factor authentication) on all online accounts
Being proactive is a lot less expensive, less stressful, and less scary than a cybersecurity nightmare. Happy Halloween!