Today You’re Being Hacked – How To Choose Secure Settings
What can happen with your IoT devices in 24 hours and how to secure settings so you’re safe
It’s a great big interconnected world. It’s also a great big unsafe world because of a lack of secure settings.
All of it is connected by devices communicating with each other through the Internet.
This is a story of how you can be hacked on a regular day, going to work, maybe on a date (if it’s a good day).
Studies show that just one in 3 office workers is aware of what ransomware is.
What this means is that the cybersecurity industry is struggling to educate the larger audience over potential threats. This is why we wanted to make this educational resource more fun, via lots of infographics and fun MR Robot gifs.
When it comes to smart device’s settings, each one, even your Disney Parental Control System, can leave you and your loved ones exposed, putting personal and financial data at great risk. Let’s see just how many times you could potentially be hacked in under 24 hours!
Sit back and enjoy the epic, cautionary tale of “They Hack Everything You Own” and learn how to choose secure settings so you don’t become this Dave.
As you know, the Internet was “invented” in the late ‘60s and hit the mainstream by the end of the ‘80s, with the rise of commercial ISPs (Internet service providers). However, the first IoT device is widely regarded as being The Internet Coke Machine, created in 1982 by a few Carnegie Mellon University students.
They installed micro-switches in the machine to count how many bottles were available in each of the six columns, then connected those switches to CMUA, the main departmental computer.
For 1982, it was also pretty advanced: the students wrote a program that also displayed how long the Coke bottles had been in the machine, so you could know how warm or cold they were.
Now fast forward to 2017, a year in which headlines like “Your smart fridge may kill you” are commonplace. We wanted to name this one something like “Your toaster is letting criminals in your house”, but we didn’t want to be so alarmist. Well, we were alarmist with the headline we eventually picked, but you’re here, so it worked out.
Read on for a list of hacks and devices that sound science-fiction but are realer than an unpaid bill.
We organized them based on your normal everyday routine and included expert advice in getting secure settings so you don’t get hacked.
Want to know how the pervasiveness of IoT devices can impact you personally? See what can happen in a day, at any given hour. Here are the shortcuts to jump to each chapter.
It’s 8:00 AM so you want coffee, but the machine displays a weird message.
Smartphone-controlled coffee machines and other IoT devices like smart kettles have terrible security practices. A coffee maker’s producer was mostly focused on getting you the best cup of caffeine in the morning.
The code of the machine and its Internet connectivity was an afterthought. For example, these guys hacked their own coffee machine so they could hook it up to Alexa.
This is how it works:
When a connected machine is turned on, it usually opens a non-encrypted hotspot. As reported by countless security experts, it can reveal one of the most important data you have: the SSID and password to the home wireless network. So hackers now have access to mainly everything because, as many T-shirts and funny signs say,
Home is where your Wi-Fi connects automatically.
This ransomware attack already happened on a large scale at a petrochemical company, as detailed in this wonderful account of a Chemical Engineer, who posted on Reddit in July the fascinating tale of “How the coffee-machine took down a factories control room”.
What you should do
- Never, ever keep the default factory settings on smart devices.
- Use the same security measures as for your phone, personal computer or workstation.
- If that’s too much, at least change the default device password to a new, more secure one.
If you don’t want to manually connect the coffee maker to the internet all the time, make sure to change the default router password as soon as you get a router. This small security step can protect you against a large type of malware infections. You’d be surprised how many people don’t and how many routers are compromised every day because of this.
So let’s say you skipped the coffee and decided to ignore the ransomware display on the coffee machine because it’s too damn early to get stressed. You’ll just ask your co-workers or the IT guy how to deal with this and grab Starbucks on the way. What next?
It’s 8:30, so you set the parental controls so your kids don’t go crazy online. If there are no kids around, you make Alexa play some music.
In both of these scenarios, because of a lack of secure settings on your part and the insecure nature of IoT devices nowadays, hackers target them with incredible enthusiasm.
Security experts announced on Halloween that they patched 23 vulnerabilities in Circle with Disney, the popular parental control. Yes, 23 critical vulnerabilities were found, over several months, in a device that connects to your home Wi-Fi network and allows you to manage other devices.
According to Cisco Talos researchers, if Circle with Disney was hacked, attackers could have had the “ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”
If you don’t have kids but have a similar device at home, mainly the Amazon Echo, you’re still exposed to the same risk.
In August 2017, researchers at MWR InfoSecurity reported an Alexa hack that allows continuous eavesdropping, then sends the information to a remote computer. This is a physical attack on the Echo that allows a hacker to attack the Linux operating system and install malware without leaving physical evidence of tampering. So someone you know could be listening in whenever you talk to your personal virtual assistant.
With the DolphinAttack, voice commands translated into ultrasonic frequencies inaudible to humans are easily recognized by voice assistants like Alexa, Siri or Ok, Google.
What you should do
- Secure settings on your router and devices by not keeping the default password.
- Change the passwords when you buy a device ASAP.
- Have different passwords for all of them.
For the sake of this story, let’s say your assistant is compromised as well. Could the day get any worse?
Oh, look, your order from Amazon is here, so at least you got a present.
It’s 9 o’clock already, so you need to leave. But the Amazon courier is not here so you set the smart-lock for him.
Amazon debuted the Amazon Key, a lock-and-camera system that you can control remotely so you can let the UPS guy deliver the package in your home. The system unlocks your door for the couriers and films the drop-off so you can be sure nothing untoward happens. It can also create temporary passcodes for friends and other people.
Amazon says that this way, you can receive packages when you’re not at home, without the risk of having it stolen from your doorstep.
Malwarebytes doesn’t say but actually begs that you don’t buy smart locks.
What you should do
Indeed, do not buy smart-locks. We agree wholeheartedly with Malwarebytes. We have nothing against progress and devices making our lives easier but, as long as hackers are around, you need to be protected.
The Amazon page says nothing about the software used by Amazon Key, so there is no way to verify that it’s designed with the latest cyber-security measures in mind. What about secure settings? Because there’s no way of knowing how much you can control this software, secure settings seem almost impossible to guarantee.
Just look at this video:
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
— MG (@_MG_) February 4, 2018
We hope you waited until getting smart locks but, for the sake of this story, you didn’t. Your coffee machine was hacked, Alexa is going wild, the smart locks seems fine but a burglar is just waiting for you to leave home. And you leave, because…
It’s 9:10, you’re running late, so you ask Siri to open Google Maps.
With the DolphinAttack, Siri and other personal assistants are susceptible to attacks. If you use the voice integration feature, evil-doers could simply say “Siri, open the door” and the smart lock could open. Scary, right?
There’s something scarier. Smart locks are still in their infancy, but smartphones are prevalent and so is a lack of secure settings. Most people do not even know that their data is exposed on a constant basis by the apps they use. You probably don’t know either, so you head on to the office, oblivious to the fact that your phone and, implicitly your location was disclosed to cybercriminals.
In 2016, 1.3 million Google accounts were compromised through illegitimate Android apps. Android ransomware rose 137.8% from Q1 to Q2 2017 and iOS is also an extremely appealing target for hackers.
What you should do
We created here a guide with the easiest way to keep your phone and data safe. As expected, we highly recommend you do not rely on the default settings of your device. Instead, focus to secure settings by managing every app’s permissions.
It’s 10:00, finally at the office. Your PC is locked and the IT dude is a bit pale.
You ignore him because you already had a bad couple of hours. While he inspects the workstations, you grab a coffee and start telling your coworkers about your morning.
They interrupt you.
Your company was hit by Bad Rabbit, a ransomware attack more vicious than Petya/notPetya. All the workstations are showing a message that the data was encrypted, and the ransom is a large sum to be paid in Bitcoin.
This happened in October 2017. As we detailed in this security alert, the Bad Rabbit ransomware was spread through a fake Adobe Flash Update. It hit major organizations across Ukraine, Russia, Turkey, and Bulgaria, disrupting operations for several transportation companies.
What you should do
Do not propose to your boss to pay the ransom, it’s futile, the hackers will never decrypt your data. Instead, offer your company this list of free ransomware decryption tools and let experts handle the crisis.
It’s 13:00. After a grueling meeting about the ransomware attack, you grab a laptop and try to read the news, but most websites are down.
Meet and fear the botnet. It’s one of cyber-security’s biggest boogie men, and for good reason.
A botnet is a large network made of compromised IoT devices. These devices are enslaved by the thousands via malware and their owners have no idea. Hackers then use this botnet to launch massive DDoS attacks.
In laymen’s terms, 300.000 smart coffee makers and CCTV cameras all try to access your favorite website at the same time, the website’s servers are overwhelmed and they go down. Killed by toasters, a scary, inglorious way to go.
In 2016, the Mirai botnet attacked a major DNS provider and, for a day, managed to take down services like Twitter, Netflix, Reddit, Airbnb, and Spotify. Here’s a heat map of all the affected websites.
In 2017, security researchers warn that a larger botnet called Reaper is on the rise and it could be a lot more devastating than the infamous Mirai.
What you should do
Again, please change the default passwords to all your devices, it can stop a malware infection in its tracks. When buying new devices, check the terms of service or find out how often the maker releases updates and patches. Most IoT devices have spotty support and patching is critical to protecting them from malware infections. We wrote more about how to secure IoT devices here.
You don’t want your coffee maker to be an enslaved bot, do you?
It’s 16:00. You just want to escape the office so you call an Uber. If you have an iPhone, you’re in trouble.
At the beginning of October 2017, news broke out that Apple gave Uber a “totally unprecedented” permission to read iPhone screens, even when only in background use.
Other specialists claimed that this permission would allow Uber to record the screen of the device even if the app was closed, in theory accessing highly sensitive information. Seeing how Uber drivers were hacked by the thousands in 2014 and others reported their account stolen and used in Russia, this doesn’t bode well.
If someone were to access your Uber data, it might not seem like much. What if they use Uber to gain access to your entire phone, from the photo library to work documents in your downloads folder?
What you should do
Again, check permissions for all of your apps. You should do this after every major iOS or Android update.
Fortunately for you, you’re unaware of this hack so you go about your day. Hmm, what could go wrong again?
It’s 18:00. After an unsuccessful time trying to set-up a date with someone on Tinder, you get phished.
The wonderful person you were chatting with wants to meet and sends you a link “for the location”. Of course, is a phishing scam, because you’re talking to a bot. This scam could look like a false alert to change your Tinder password or a map wanting to be downloaded on your phone.
If you think phishing is something that happens to old people who don’t know what to do online, think again.
As we mentioned in a weekly security round-up, younger adults are a lot more likely to fall prey to phishing: 11%, compared to only 5% for the 55+ demographic. They’re also at risk of losing 3 times more money than their older peers.
What you should do
Before you get too sad about the failed Tinder date, check out the advice offered by Scammer Nanas.
Get Safe Online recruited a few grandmothers and trained them to hack into their grandkids’ accounts. It was a fun campaign, designed to raise awareness about phishing practices and security best practices for Internet users.
Then cheer up and….
Go to a friend’s house.
It’s 21:00. You arrive at your friend’s home. It’s a smart one and it’s going haywire.
Hackers could have a field day playing with all the automated systems in a smart home, because most of them are lacking in secure settings. Mr Robot pointed this out in a season 2 episode.
From dimming the lights to wrecking the thermostat or blasting music through Alexa, the wealth of IoT devices all connected to a central hub offers infinite opportunities for malicious attacks.
If one IoT device poses so many security risks, think what a smart home with no secure settings, just default ones, could be exposed to. All of the below benefits are meaningless if your data is exposed to hackers – your photos, your banking info, even your social security number.
What you should do
Tell friends that they should not allow public Wi-Fi, avoid connecting multiple devices to the same service and never, ever use the default passwords.
Also, maybe invite your friend back at your place until her smart home gets a thorough clean. It’s late, hackers got to everything you care about already, what else could happen?
It’s 22:30. Your friend has a Tesla car and it got hacked.
Because we don’t want this cautionary tale to take too much of a dark turn, let’s just say the car got hacked in a nicer way. One of the door locks stopped working and you had to climb through the back, then the radio had the volume a bit too loud.
In reality, electric cars are chockful of devices connected to the Internet, each one with a host of security risks.
In 2016, a group of Chinese security researchers took control of a Tesla car wirelessly, from 12 miles away. They set-up a malicious Wi-Fi hotspot that when the driver used the web browser. The hackers could trigger indicators, move seats back and forth, open the sunroof and even control the brakes. If that vehicle were traveling at high speed down the highway, this would have been a recipe for disaster.
In 2017, Tesla and other autonomous cars still pose security flaws. Hackers participating in the Tesla bug bounty program turned a Tesla X into an “unauthorized Xmas show”. They sent malicious software via the browser once more, turning the brakes on remotely, flashing the lights and synchronizing them to music from the car’s radio.
What you should do
Wait until you jump the gun and purchase an autonomous car and advise your friends to do this as well. Fortunately, Tesla has a generous bug bounty program. If you wait until major kinks are smoothed out and follow all the other advice in this article, you should be one happy, safe camper.
It’s 23:00. Tired and stressed? Even meditation apps can be hacked.
It’s 23:00 and today you’re being hacked. Fortunately, the day is almost over and you and your friend are back at your place. The coffee machine might not work, but it’s late and you want to unwind.
In this day and age, sound machines, white noise, and meditation apps are among the best-selling products in marketplaces like Amazon or Google Play.
Of course, being devices connected to the Internet and hackers being ever so creative, they can be compromised as well. A lack of secure settings on the user’s part can lead to issues, but the app marketplaces themselves can be compromised.
A lot of people browse social media right before they fall asleep. Even meditation apps are not always safe. A trojanized version of Instagram managed to slip through the Play Store filters. Then, a praying app was found to mine cryptocurrency on Android phones, slowing them down.
In 2016, every 4.6 seconds a new malware variant appeared, a trend continued in 2017.
Before you call it a day, look around you! Count just how many devices you own that could be compromised by hackers.
Today’s cybersecurity landscape requires you stay vigilant. For example, a malicious hacker can enter your PC even if it was never connected to the Internet.
A group of researchers in Israel managed to steal data from air-gapped PCs, computers never online. How?
By using malware to extract data from the sound of the computer fan and the electromagnetic waves emitted by the CPU. Of course, the data obtained this way was minimal and regular users like you don’t have anything to fear.
Follow this basic action plan and you’re safe against the large majority of attacks directed to any device you own.
If you can also let your friends know about this advice, then that would be great.
- Follow the advice we just included in this article. Always secure settings for your devices by changing the default password. Do not connect too many devices to the same Wifi. Do not forget to secure your router with a strong password.
- Try Heimdal PRO. It’s a small but powerful program that adds another layer of protection to the antivirus. It guards your computer against malicious traffic, stopping infections before they take a hold of your system.
- If you’re already feeling good about your efforts and want to keep learning valuable information, we put together an amazing host of Cyber Security Education Resources.
- Want to skip step 3 because of reasons? We thought of that too, so we set-up The Daily Security Tip. Sign up and you get a security tip or resource every day, for a full year.