The Federal Bureau of Investigation (FBI) has been forced to issue a public service announcement warning US citizens and businesses of the cybersecurity dangers of the internet of things (IoT).
The Feds argued that a combination of “deficient security capabilities” inside the devices themselves, a lack of consumer awareness, and difficulties with patching could all be exploited by cyber-criminals.
As well as remotely attacking other systems, sending out malicious emails and stealing personal information, IoT devices could be hijacked to cause physical harm, the Bureau added.
It highlighted exploitation of the Universal Plug and Play protocol (UPnP) in order to gain access to said devices:
“The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping.”
Hackers could also exploit default passwords to spam out malicious emails; steal personal and financial information; interfere with business transactions; or DoS IoT devices, the FBI warned.
Generic examples of IoT-based attacks include hacking CCTV cameras to display live feeds; obtaining admin privileges to access or monitor home and business networks; accessing healthcare information and hacking medical devices; and attacking business-critical devices like petrol pumps.
The Feds’ advice for locking down risk in this area includes isolating IoT devices on their own protected networks; disabling UPnP on routers; updating devices with the latest patches; and changing default passwords to strong credentials.
The FBI also advised users to follow industry best practices when connecting to Wi-Fi and to only purchase IoT kit from “manufacturers with a track record of providing secure devices.”