- Feb 13, 2019
- Jan 21, 2019
MikroTik, from Latvia, until she did the part of it: fixed a software breach and made the update available to customers around the world. As usual, many of the users did not play their part and instead of downloading the fix, they continued to use the old version. Soon, hackers discovered the flaw and began a global attack. Brazil became the central target of the coup, and by early August, about 72,000 routers and other wireless devices from MikroTik were captured in the country, in homes and businesses (around 200,000 were invaded worldwide) . These machines worked only partially for their owners - in parallel, the hackers made the equipment mining bitcoins. The latest case is showing the vulnerability of devices connected to the Internet of Things (IoT). It was not the greatest.
British hacker Daniel Kaye, 30, is charged in the UK for launching an attack in Germany that left 900,000 routers disconnected in homes and businesses in 2016. He used malware called Mirai - dedicated to infecting unprotected devices and using them to search for others and invade them, successively. In the United States, cybercriminals Josiah White, 20, and Paras Jha, 21, were convicted in December 2017 for using Mirai. After the attacks, the duo offered their victims services as digital security consultants. In a world of connected objects and in the hands of laymen in technology, it is not just the companies that see opportunities. The criminals, too. Not without reason, smarter experts already claim that the initials of IoT refer to the internet of threats, the internet of threats.
In early August, the Federal Bureau of Investigation (FBI), the Federal Bureau of Investigation (FBI), said it was good to disclose a public warning about the vulnerabilities of "things" connected to the Internet. Criminals may invade a home network to steal data or demand money, but the FBI is more concerned about the indirect use of the devices. Most home devices have enough computing power to become a network connection point, or node, capable of receiving, processing, storing and sending information over the Internet, said Sudha Jamthe, CEO and author of the IoT Disruptions project and teacher at Stanford University.
Hackers capture these machines hundreds or thousands at a time, to attack larger systems, large companies or infrastructure, or spread malicious programs - such as viruses and spies - through the network. "The use of domestic devices hides digital traces, making it difficult to identify those responsible for the crimes." The FBI's list includes equipment such as refrigerators, cameras, TVs, radios, smart ports and routers, which, in addition to cyber attacks, are used to negotiate illegal images and products in the depths of the web.
At the moment, digital security does not follow the frank expansion of IoT and residential automation. Annette Zimmermann, vice president of research and consulting firm Gartner, believes the industry is still going to get busy, and that digital security solutions will keep pace with the expansion of the network. But he admits that, at present, lack of security is a systemic problem in residential IoT. We will have at least a turbulent transition phase, while the houses become hyperconnected. "With the internet of things, we will have more exploits of security breaches. It will be a constant effort to reduce the frequency and impact of these attacks, "said Pedro Paulo Pérez, vice president of digital security for the Telefónica Group and CEO of ElevenPaths, the company's security unit.
Part of the responsibility is for equipment manufacturers and service providers. Products and services are not designed to provide maximum security. Allowing connection and remote management of the devices brings convenience to the consumer, but makes it vulnerable to all types of digital world. According to a study by Ben-Gurion University of Negev, Israel, released in March, connected devices such as electronic nannies, cameras, automatic doors, home security and thermostats were easily invaded by an academic group that vulnerabilities of home networks.
For the experiment, the researchers dissected intelligent devices connected to the internet. They used reverse engineering techniques and simulated virtual attacks. "It is scary how easily a criminal, voyeur or pedophile takes control of these devices," Professor Yossi Oren, a leader in Ben-Gurion's digital security laboratory, said in a statement. children. According to Oren, in just 30 minutes the team unlocked the passwords of most devices using simple features such as Google searches and product manuals.
In Brazil, a Qualcomm team reproduced, to a lesser extent, the experiment. The demand for testing devices commonly found in the market arose from customer complaints. The result was also alarming: 70% of the evaluated devices presented, on average, 25 different points of vulnerability. The risks range from ease to cyber invasion to adding pieces. When dismantling one of the routers, José Palazzi, director of Qualcomm's IoT for Latin America, came upon a spare plate.
The purpose of the object was to copy the processed data and send it to the bad guys. The router was in the hands of a team of home network installers, and the service contractor would be unable to notice the maneuver. "The equipment has to be sealed to avoid this type of action. You have to protect the hardware, the software and the network, "he says. Silmar Palmeira, director of innovation and network technology at TIM, agrees that, in the face of the transformation, we will need extra layers of protection in the home environment, with redundant systems and special care with sensors that capture information about users' lives.
The reaction of big companies has been slower than ideal. "Companies are looking for partnerships to produce safer, harder appliances," says Sudha of Stanford University. According to her, the intention is to establish standards and agreements of connectivity between the devices and to protect them from the industrial design. "It is possible to design safer devices," he says. Does anyone qualify?
IoT will require more commitment from organizations because, in addition to fixing their own products and services, companies will need to think with the average user's head, without the time or knowledge to ensure their own digital security. Thiago Bordini, director of cybernetic intelligence and research at the New Space Group, explains that so far there are no established safety standards for home devices. Most settings are made directly on the device and depend on user action. "But people do not know they need to set up a password," he explains. During the interview, Bordini accessed the site Shodan, Google's kind of the internet of things. He sought, in Brazil, for a specific model of intelligent TV. In seconds, it obtained the list with the Internet address (IP) of 22 devices. "To exit the list, you need to change the equipment settings," he says.
Experts will have a lot of educational work to do. Last December, three fieldworkers - two from IBM and one from the Montreal Polytechnic - published a suggestion of security structure for the entire network, which they consider to be proof of users' technological ignorance. They called their IDIoT system.
As equipment manufacturers and users try to adapt, the digital security industry anticipates a lot of work. Traditional companies in the industry, such as Symantec, McAfee and F-Secure, now offer specific IoT residential services. Strategies range from direct consumer offerings to the inclusion of security features in connection, communication and entertainment services. "This model requires developers to partner with internet service providers and telecom operators," explains Annette of Gartner. Startups are also in the match and must shake up business models in the protection of connected homes. Among the newcomers, the expert highlights BitDefender, from Romania, and Cujo, from Los Angeles.
Founded in the United States, Cujo has development teams in Lithuania - responsible for the systems that run in the cloud, which concentrates the part of the software that goes on the devices, the firmware. "We work on protecting the routers. We understand that the equipment is the central point of the home network and the most vulnerable, "comments Lourival Vieira Neto, vice president of firmware engineering and leader of the Brazilian team (remembering that this includes smart speakers such as Google Home and Echo , from Amazon).
With three years of operation, Cujo was considered a pioneer by the World Economic Forum for the depth of its research - the startup uses machine learning and data science to monitor and predict attacks. It experiences accelerated expansion in the United States and Europe, and now opens the way for Asia. The focus on the router makes sense. The equipment is vulnerable to small-scale or mass attacks, such as that fired at MikroTik machines. That type of attack is known as cryptojacking - it "steals" the computer's ability to mine bitcoins. It is a "cat" in the machine's processing system. "It does not involve invasion of privacy or data theft, but it harms the performance of the device," says Bordini of New Space. And the owner still pays the energy bill for bitcoins mining.
Bitcoins coveted by criminals use blockchain technology - a distributed registration system - that enables decentralization of functions such as authentication, identity verification, and value registration. The blockchain has the potential to rightly protect home networks. Among its security attributes is robust encryption. Ockam startup in San Francisco has created a blockchain-based platform to track home appliances. It allows manufacturers to track the product through the entire supply chain, avoiding the insertion of malicious parts or programs.
Robert Schwentker, president of Blockchain University, points out that the uses of distributed registration technology are embryonic and there is a race to prove its viability in the most diverse processes. "To advance on the internet of things, we have a lot of work to be done in the routines of identity authentication," he says. He believes that the protection of residential IoT will require studies not only of blockchain, but of technologies such as artificial intelligence and even quantum computing. "They are revolutions that are happening at the same time. Good solutions will demand convergence between them, "he says.
Regardless of the technology adopted, those working in the residential IoT segment will suffer regulatory impacts. Recently approved data protection and privacy laws in Europe will force a conversation between device manufacturers, service providers, and the security industry software industry.