The Smart Hijack – Unimaginable Threats from Smart Devices
Smart automatic features in televisions, refrigerators, microwaves, and ovens are increasingly being used in recent years. Modern capabilities like built-in smart features, Bluetooth enabled cooking command systems enhance the traditional living modalities and conveniently solve everyday problems. Smart phones, smart tablets, smart bands, smart vehicles, smart doorbells, and every other device that resides within the internet network, assists users in their daily activities. Researchers suggest that the value of IoT (Internet of Things) market or the smart home device market will project from $55 billion in 2016 to $174 billion by 2025.
There is no doubt that there are many advantages of Artificial Intelligence and IoT enabled smart devices. Technical advancements in facial recognition, voice recognition, automatic content recognition are adding newer dynamics to entertainment, household, and lifestyle. However, smart devices are vulnerable to a plethora of cyber security threats that can be extremely scary.
These devices are a gold mine of sensitive personal information, cyber criminals can target them and exploit the user. Hackers can take advantage of the fights happening in your house by listening to your conversations through your smart TV or the Amazon Echo/ Google Home speaker. He can uncover your weaknesses, debts and use the information to lure you into shady deals or impersonate themselves as a loan executive claiming to be from your bank.
Alternatively, he could steal confidential information like your full name, credit and debit card details, date of birth, location etc. The stolen data can be used to take loans in your name or penetrate into your home computer networks and disrupt them.
Imagine a situation where an attacker gains access to your smart oven, changes the temperature of what’s cooking or uses the device to gain access to your internet and infects other devices that are connected to the network? What about the possibilities of theft or hijack of your smart car while you are driving? Your life can be endangered, one can listen to you while you drive, track your movements with GPS tracking device or even have control over the steering wheel while they navigate to their likings (Haim Wismonsky and Yuval Shany, 2019).
Internet connected devices collect all forms of personal data from you. Smart TV’s have automatic content recognition technology that gathers information about your viewing patterns and suggests movies/ series based on your preferences. There may be built-in cameras and microphones that is probably watching you and listening to you- thus hackers can intrude into your personal lives and take control! Malwares, Spywares and Ransomwares once installed can track all user activities.
Digital assistants like Alexa and Siri are being used to listen to conversations. Work from home has increased potential threats for confidential information being leaked out during virtual meetings. The mobile phone can track steps, the Fitbit knows your sleep cycle and jog schedules. City landscapes are evolving with smart buildings, smart roads, smart traffic lights and lots more (Sahay, 2020).
Pegasus- The Spyware
Israel’s NSO group built a spyware called Pegasus that can hack all major smartphones (IOS, Android or Blackberry). Covert installation of the tool into the target’s smart device allows complete access to the attacker. It can track real-time user activities across major platforms. Other forms of data like contact details, SMS, emails, call logs (including recordings) including communication apps- WhatsApp, Viber, Telegram, WeChat, and Skype can be extracted. Furthermore, it gains access to browser history and instant messengers like Facebook. Pegasus can also use the device camera to capture you and your surroundings surreptitiously (rear and front camera) without any indication or flash.
In the recent developments of a massive data leak, Pegasus was used to target journalists, political leaders, and activists worldwide (Willsher, 2021). 50,000 phone numbers of potential surveillance targets have been identified, at least 180 journalists were selected in 20 countries between 2016 to 2021 including India (Amnesty International, 2021). The spyware was a weapon used in an attempt to silence the voice of the activists and leaders by repressive governments. While Pegasus claims that the tool is only provided to governments for legitimate activities to fight terrorism and crime however, the bigger picture violates human rights.
Similarly, there are hidden spyware apps that can be installed in smart phones at cheap costs. Some of them offer keyloggers that records every key a user presses on the keyboard including usernames and passwords. Below are the examples of available spyware applications that work on Android and IOS both.
XN Spy: 620 INR ($8.33, basic) or 929 INR ($12.49, premium)
Qustodio: 4089 INR/ yearly ($55/ yearly) for up to 5 devices
FlexiSpy: 25948 INR ($348.99)
Cyberattacks that created history
Misuse and potential threats of IoT related cyberattacks are limitless. Unauthorised access to smart health care devices in hospitals could manipulate settings or even kill the patients. For example, the WannaCry cyber-attack at 80 National Health Service Organisations (NHS, 2017) in the UK became a matter of emergency and public concern (Comptroller and Auditor General, 2018; Verizon, 2020).
The ransomware incident lasted a week, some of the organisations were facing issues with diagnostic services (MRI, CT scan). Access to test results were suspended while thousands of patient appointments were cancelled. It led to the disruption of at least one-third hospitals in the UK (80 out of 246 NHS trusts affected), from which 34 trusts were locked out of their devices. Furthermore, 603 primary care and 8% of General Practitioner clinics were infected with WannaCry. Overall, the NHS incurred £700,000 loss due to the single cyber incident.
In another cyber-attack, a software called Mirai was used to create a malicious botnet. A botnet is a large number of connected devices controlled for malicious attacks. The attacker just needs to login into the device with known credentials, all the devices run on Telnet server, if the login is successful the bot is installed. The first and largest Mirai Distributed-Denial-of-Service (DDoS) attack was on krebsonsecurity.com (2016). Once the botnet was installed, a huge risk of more botnets being generated became a challenge. Mirai can exploit numerous IoT devices that use default usernames and passwords like admin-admin or admin-password, such devices can be easily compromised.
Mirai affected tens of millions of IoT devices in an attack on Dyn (Domain Name Services company). Dyn reported severe outages of some of the worlds most trafficked websites like Twitter, Spotify, Reddit, CNN (Dyn, 2016; Kennedy, 2016). The attack severely disrupted the organisations communications and stopped services impacting users worldwide.
Reports suggest that China is aggressively investing in the emerging IoT technology. It has been gaining access to internet connected electronic devices for the purposes of intelligence gathering and sabotage (military and political purposes). Majority of IoT devices in India are being imported from China, Taiwan, and South Korea. Thus, posing a serious threat to national security (Gertz, 2018).
As more and more devices are connecting with the internet, user data is becoming the target for measuring and analysing preferences to optimize user experiences. Applications that record and extract user data raises a myriad of questions related to the user privacy and human rights. What data is being stored? Where is it being stored? Is it being sold to a third-party? How can one control the amount of data going out to the service providers?
The Information Act, 2000 is designed for various types of cybercrimes, most of the crimes are bailable offences. India does not have statutory elaborations related to cyber security breaches and provisions to deal with data protection (Singh, 2017). Cybercrimes are volatile in nature; laws must flexibly accommodate the ever-changing nature of such events. With the innumerable number of smart devices that can communicate with each other, the risks concerning security breaches is higher than any other traditional crime (Gaur, 2020; Sarin, 2018). In such instances, finalising the Data Protection Bill is essential (Indus Law, 2018; Palak Agrawal, 2020; Suneeth Katarki, Namita Viswanath and Ivana Chatterjee, 2018).
In 2015, the Government of India formulated a draft IoT policy (Department of Electronics & Information Technology (DeitY), 2015), it launched the Smart City project by allocating INR 7000 crores to develop 100 cities in the country (Sahay, 2020). The draft policy fails to address the privacy and storage issues. Strict guidelines and regulations that prohibit sharing of information to a third party must be enforced. For example, data collected by smart bands can be used by health insurance companies to detect fitness and health conditions of the user.
Data storage is another aspect that needs scrutiny, quite often data is stored in cloud, the cloud infrastructure is at an infancy stage in India (Sahay, 2020). Lack of infrastructure that can support IoT devices, inadequate internet bandwidth are some of the major concerns in the country.
The 2015 draft provides an effective structure for creating effective guidelines as well as implementing government policies that concern IoT devices. IoT device manufacturers and designers must be regulated with standardized policies (SOPs) that ascertain cyber security end points.
Other key IoT initiatives taken by the Government of India are (Kumari, 2020):
- IoT Centre of Excellent (CoE) by NASSCOM, MeitY and ERNET: helps startups to create deep technological innovations and market leading products.
- National Digital Communications Policy (NDCP, 2018): it addresses the problems related to communications and access of digital services.
- IoT lab by IIT Delhi and Samsung, 2016: enhance research capabilities and professional collaborations in the IoT space.
Internet connected devices are a part of our day to lives. Several sectors like entertainment, transportation, e-commerce, manufacturing, agriculture, and healthcare are heavily dependent on the data from sensors and that extracted from smart devices. It is obvious that interconnectivity brings substantial benefits to mankind however, policies and laws that can govern and restrict the access to data is essential. It is vital that private and confidential information remains protected within the invisible walls of the internet.
The IoT industry is set to grow exponentially and so will the user dependency on smart intelligent systems. Privacy and security of smart devices need to be addressed; data privacy, sharing and protection measures need to be regulated (Sahay, 2020). Development of competitive anti-virus and anti-malware software with a futuristic approach can be a small part of the bigger solution. Manufacturing companies must abide to the standard guidelines and provide regular security patch updates to ensure vulnerabilities are being patched. A special act for IoT must be established to address liability and data ownership issues. Guidelines and SOPs must incorporate relevant clauses for users that use particular services (apps) or platforms on the internet. Europe and Singapore have recently released standards for IoT security that can be referred to (Cyber Security Agency of Singapore, 2021; ENISA, 2020).