Nick Viney, Senior Vice President, Avast says that although the attack on Verkada isn’t an IoT attack, it’s an attack on their business network - and the case once more demonstrates the urgent need to protect data collected via IoT devices.
Viney’s comment came after news reports revealed that a group of hackers had breached Silicon Valley security-camera company Verkada, gaining access to live feeds of 150,000 surveillance cameras inside hospitals, police departments, prisons, schools and companies like carmaker Tesla,
The video surveillance market is predicted to grow to US75 billion by 2025 (A$ 96 billion), and “companies gathering sensitive data such as video recordings need to implement stronger security measures,” Viney said.
“At the same time, security cameras are often riddled with security issues. For example, data from IoT search engine Shodan.io shows that at this moment over 124,000 Internet-connected security cameras worldwide can be accessed - so it doesn’t even take an attack on a security camera business to access camera footage.
“This includes industrial security cameras revealing footage of power plants, industrial production facilities, heating systems and gas stations, and it includes smart home devices, putting individual’s privacy at risk.
“Our data shows that over two thirds of vulnerable smart home devices are at risk due to weak security credentials. This is an avoidable flaw, and businesses and individuals need to become more security conscious, while implementing security solutions to protect their personal data,” Viney said.
According to Shodan.io, the current number of Internet-connected cameras that are open and accessible for third parties in Australia are 424, with 155 open in New Zealand as of Thursday 11 March.
Avast list some simple steps it says will help Australians and New Zealanders reinforce their security around smart home devices:
Take the time to pick the right smart home devices – When buying a new smart home device, consider buying products from well-known reputable manufacturers. They are more likely to have produced devices with security in mind. Also check that they provide security updates so firmware can be fixed if required. Before you add a new connected device to your network, take the time to understand everything about it, including how it collects and uses your data and the device features to ensure you understand what you can disable for extra security.
Change default password - This goes for any device that comes with a default password, not just your Wi-Fi router. When given the option, always change the default password to something complicated. By choosing not to update default login data, homeowners are making it easy for hackers. Most bad actors can guess a default password, allowing them to breach a network and even link a smart home device to a botnet, a collection of internet-connected devices controlled by cyber-criminals.
Set up two step authentication - Where possible, homeowners should also strengthen device security by using two-step verification, a process where two authentication methods are needed to gain access which can help prevent attacks if your password is discovered.
Update ASAP always - It cannot be stressed enough — keep the firmware of your IoT devices updated with the latest versions and patches available. Remember, the cause for most of these updates is because a security flaw has been found and exploited in the previous version. You want to stop running that compromised version right away. Also when considering a new IoT device, take a look at its update process. Make sure it’s easy and straightforward and that you are notified when a new update is ready.
Consider splitting your home network - Splitting a home network in two could also be beneficial. As part of their recommendations for robust digital security, The Federal Bureau of Investigation has suggested homeowners keep devices carrying sensitive data - such as a laptop and smartphones - on a different network from those supporting smart home devices. By using this set-up, a hacker would not be able to directly access a personal laptop if they breached a smart home device. This network could also operate as a secondary network for guests; protecting sensitive devices if their bad browsing behaviour leads to a security problem.
Consider cybersecurity - Everyone’s protection is in their own hands these days, so it’s a good idea to call in reinforcements for peace of mind. Consider installing a digital security product that assesses your IoT devices connected to your network, reporting anything abnormal. Wi-Fi Inspector, which is part of Avast Free Antivirus and Premium Security, runs locally on a user’s personal computer and performs network scans of the local subnet to check for devices that accept weak credentials or have remotely exploitable vulnerabilities, alerting users to security problems it finds.
Erase your personal data from old smart home security before disposing – If you are getting rid of older smart home security products, make sure that you erase all your data and personal information, delete your account if you no longer need it, and perform a factory reset of the device. Also, make sure to remove the device from your online accounts, networks or apps that you have linked them to.