A cybersecurity researcher shares shocking findings exclusively with mid-day to expose how your fancy Internet-connected domestic devices are putting you at huge risk
Internet connected doorbell. Pics/Getty Images; (right) Smart home device
It can show you who’s at the door, let out an alarm in case of an intrusion and give you a log of all the visitors who came by. It can also be hacked and become a critical tool in a cyberattack.
ADVERTISEMENT
In January this year, Ayyappan Rajesh, a student of computer engineering at UMass, Dartmouth, decided to mess around with his neighbour. Rajesh, who was home on a short holiday, saw that the neighbour had installed an Internet-connected smart doorbell. The 22-year-old was curious if he could hack it.
“My fellow researcher and I wanted to test its security. We ran a simple scan on the device, and to our shock, it had an application known as Telnet, which was first produced in 1983 and not protected by a password. After discovering this, it was extremely easy for us to connect to it,” says Rajesh, who submitted a report with research data that emerged from this episode to the Indian government the same month.
Ayyappan Rajesh decided to mess with his neighbour’s new internet connected doorbell as a prank and ended up exposing a serious flaw in the technology
His findings were officially recognised in the form of a vulnerability advisory this month, published by the Indian Computer Emergency Response Team (CERT-In) on its website. It has also been assigned a Common Vulnerabilities and Exploits (CVE) number, which is the global cybersecurity community’s way of confirming a vulnerability.
“The vulnerability allowed any user on the same Wi-Fi network to remotely connect and run commands on the device. If exploited, the vulnerability would give hackers access to all the information stored in the device,” Rajesh tells mid-day over a telephone call.
For a product like a smart doorbell, this information would include the live stream captured by the camera; the visitors’ log; Wi-FI router and any other devices connected to the doorbell, like the owner’s computer and mobile phone, for instance. A smart doorbell, like most Internet-connected devices, will contain data pertaining to the current network and its owner. The neighbour’s had stored user email addresses and passwords, all useful to gain access to other systems connected to it. Explaining the larger picture, Rajesh says that a vulnerability such as this can equip a hacker to execute a malicious code and turn the device into a cog in the wheel of a botnet, to be used for anything ranging from mining cryptocurrencies to launching DDoS attacks.
Internet connected refrigerator
A DDoS or Distributed Denial of Service attack is one where a single server is bombarded with millions of pings per second. Any interaction with a server, like opening a website, is a ping. Servers have a limited capacity to handle pings per second and an overload can cause them to crash, denying service to their users. This is done by putting together a network of crores of hacked devices, called a botnet, and using these devices to send pings simultaneously.
While botnets earlier were made only of hacked computers and mobile phones, with the advent of IoT doorbells, refrigerators, speakers, vacuum cleaners and smart home devices, the scope for botnets has increased a thousand-fold. According to Kaspersky’s DDoS report for the third quarter of 2022, the longest DDoS attack recorded during this period lasted for a dizzying 18 days and 19 hours. In simpler words, malicious hackers have botnets that can enable them to make a server stay consistently crashed for nearly three weeks nonstop. For this same time, Kaspersky also observed that Indian devices ranked third in terms of the number of bots used to execute DDoS attacks.
The targets, too, have changed. While earlier, DDoS attacks were aimed at entities, corporations or government services, hackers are now going after the domains that host these servers, taking down scores of services in one fell swoop. Rajesh cites the example of Mirai, one of the largest botnets in cybersecurity history. “The Mirai botnet orchestrated a series of DDoS attacks, targeting the domain name system provider Dyn. As a result, numerous popular internet platforms and services became inaccessible to scores of users in Europe and North America,” he says.
And if you thought the vulnerabilities were only limited to a single type of smart doorbell, Rajesh has more bad news. His discovery with the doorbell sent him on a quest to assess the security of other IoT devices. He found that most use a protocol known as MQTT. While researching how many devices with MQTT were exposed to the Internet in India, he came across two instances where two sensitive MQTT servers were left open with no password nor encryption.
“The first was an app-based taxi service that operates in Delhi, Bengaluru and Goa. It exposed names, phone numbers and locations of all their customers, along with detailed location logs of the vehicles. The second was a company in Maharashtra that sells devices used in smart electric scooters. The scooters are fitted with an app and also have a remote kill feature. The devices were vulnerable to hostile takeover and control. Along with this issue, the server had live information of all the vehicles connected to it, and live GPS coordinates for each vehicle, along with its speed and other information, which I was able to alter. I changed the location of one of the scooters to that of my University,” Rajesh claims.
Subscribe today by clicking the link and stay updated with the latest news!" Click here!
