Just a voice command to change the lighting, turn on or off an appliance, open the door of the house. The internet of things (IoT) guarantees practicality, but these devices permanently connected to the internet require care with digital security.
“These are devices that are widely used, but we don’t care much about them. And these are precisely the ones that cause the most security breaches”, says Daniel Damito, a computer network specialist at Sage Networks, a company specialized in offering solutions against DDoS attacks, attack that attempts to ‘take down’ a service by creating more traffic than the server can handle. .
According to him, basic and already widely disseminated procedures greatly reduce vulnerability. The first is having secure passwords. “Never keep the factory default, like ‘admin’, password 1234,” he says.
Another recommendation is to use a manager. “The password is not made to be remembered, there are managers that have the function of saving it in an encrypted and secure way so you don’t have to remember it”, says Damito. It also recommends two-step authentication, which asks for the password and another confirmation for access, such as sending an email or message on the cell phone, for example.
Making the updates indicated by the manufacturer is also essential so that the equipment is not vulnerable. “Devices have software or firmware, programs that perform their tasks, and when the manufacturer offers an update, the reason could be a security hole that was found and fixed.”
Damito also explains that all these devices have a protocol called UPnP (universal plug and play), which allows the connection between them in a Wi-Fi network without the need for manual configuration. An example is the functionality that mirrors the mobile screen on the TV in one click.
This practicality does not always combine with security, since the attacker can identify holes to locate the router and connect using the protocol, allowing its access to the network. The recommendation is to always configure connections individually.
According to Marcos Simplício, from the Laboratory of Architecture and Computer Networks, at USP (University of São Paulo), IoT have less computing capacity than cell phones and computers. So it is technically more difficult for an attacker to obtain data directly from light bulbs, smart TVs, locks, and more. Still, there are risks. In the case of routers, you need to be more careful.
“It’s hard to steal data by hacking a wireless router, but it’s easy to redirect it somewhere else. You, for example, might think you’re going to your bank’s website, but you’re on a fake website and your data could be stolen.” , explains.
Since 2020, Anatel (National Telecommunications Agency) determines that operators must require the change of the default password of routers when they are installed on a lending basis.
In addition to leaving data exposed to theft in the type of attack known as “phishing” (using fake messages to obtain information such as bank passwords and documents from users), neglecting to protect the IoT can allow your equipment to be used by attackers for malicious.
“An attacker can, for example, specialize in a certain model of smart light bulb, find a loophole, verify that he can mine cryptocurrency and attack all the light bulbs of that model in the world, creating a supercomputer with your energy without you even suspecting it”, says João Marcos Moretti Pelissari, director of Plss Soluções em Ti, a company specialized in servers and network structures. Headquartered in Ponta Grossa, Paraná. This is possible because all connected devices have data processing capability.
So keeping the default username and password is risky, as this will probably be the attacker’s first attempt. The target, therefore, is not just your home specifically, but all users who have not changed their default password, according to the expert. These are the so-called “brute force attacks”, with multiple user attempts and likely passwords.
Experts pointed out that unsecured IoT is also a medium used for denial-of-service (DDoS) attacks. They use the processing power of these devices to overload and bring down servers, leaving schools, hospitals and municipalities without internet access and paralyzing services.
Hacking an IoT still allows remote access to it. Pelissari warns that this generates the possibility of hijacking the equipment, although it is something that is currently not very well recorded. The criminal can make the device unfeasible or change the functioning of the device — lock the air conditioning temperature and demand ransom to stop the attack, for example.
For the chairman of the Security Committee at Abinc (Brazilian Association of Internet of Things) and consumer security director for Latin America at Ericsson, Yanis Stoyannis, it is necessary for IoT solution manufacturers to adopt a security and data protection posture. data still in the conception of each project, called “security and privacy by design”.
“Although there is no mandatory application, according to her, the National Plan for the Internet of Things, prepared by the Ministry of Science, Technology and Innovations, in 2019, encourages “the adoption of international security standards”.
For Rubens Rosado, technical advisor at Abilumi (Brazilian Association of Manufacturers and Importers of Lighting Products), security problems are related to the unprotected Wi-Fi network, not to smart light bulbs.
“If the network does not have good protection, such as an encryption system for the data that circulates through it and a strong password to access it, your information will be easily exposed,” he said.
Anatel stated that it has prepared a study “to define a minimum set of mandatory cybersecurity requirements for equipment certification” and that it will soon carry out a public consultation on the subject.
For the researcher at ITS Rio (Instituto de Tecnologia e Sociedade) Lucas Cabral, the user plays an important role in ensuring internet security.
“I realize that digital literacy is lacking, greater care. People in general do not have this digital awareness”, he says.
For him, digital literacy involves understanding the privacy policies of equipment before using them and learning security mechanisms to prevent intrusions, such as choosing strong passwords, using double authentication and updating devices.
In addition to protecting against intruders, he warns that you also need to be aware of data usage authorizations, creating your own privacy setting. For this, it is essential to observe what information each device captures.
“Connected a smart light bulb, go to the app’s settings tab, click on privacy and read what it’s saving [de informação]what you can configure, what you can customize, what data they are capturing.”
The LGPD (General Data Protection Law) guarantees rights to the user and companies can only use the information authorized by him. However, Cabral recalls that many give authorizations without paying attention to details.
How to keep your home hack-free
In general, the same safety recommendations apply to all devices:
1) Prefer equipment with a good reputation and certification
2) Use a strong password for each device and change it frequently
3) Perform privacy settings before turning on the device
4) Always do the updates recommended by the manufacturer
Understand how they work and learn about the main risks of “smart” equipment, which connects the home to the internet:
What it does: IoTs are connected in the cloud, which are online servers that process information. When a command is given by cell phone or voice, it goes to the cloud where it is processed and only then returns to the device to perform the requested task, generating traffic and telemetry data that are permanently online.
What risk does it offer: The cloud owns the data of all devices. If invaded, it can impair the functioning of all appliances
What it does: receives and sends data from devices to the internet
What risk does it offer: it is the most sensitive equipment on a home network. The information of all connected devices passes through it. If hacked, it gives access to everything connected to the network. Among the risks is redirecting access to fake websites
What it does: used to give commands to other connected devices
What risk does it offer: can expose private data without authorization. An example is allowing the intruder to hear what is happening in your home
What it does: allows door opening with password, biometrics or voice command
What risk does it offer: can be hacked and have data captured. Lower quality equipment may be vulnerable to voice simulators that allow a criminal to open it
What it does: Enables an internet connection to watch streams, use search engines, games, music, and other IoT devices
What risk does it offer: may expose personal data. TVs with camera and microphone can be triggered remotely
What it does: allows remote activation, change in brightness intensity, change of tonality. Some models have a built-in camera and allow “Li-Fi” data transmission
What risk does it offer: can be used to order attacks against servers and even mine cryptocurrencies. If invaded, they can be triggered remotely and, in the case of models with a camera, expose the captured images
What it does: they work with DVR (Digital Video Recorder) and NVR (Network Video Recorder), connected equipment that operate camera monitoring systems
What risk does it offer: the main risk is to privacy. Poorly protected equipment can be invaded and allow access to images. Can also be disabled remotely
What it does: allow you to control appliances remotely
What risk does it offer: may allow remote activation and cause damage to equipment
Washing machine / Air conditioning / Vacuum cleaner / Refrigerator
What it does: are the traditional ‘white line’ appliances that, in the most advanced versions, allow connection to the Internet
What risk does it offer: they can be triggered improperly by an attacker who can crash them, shut them down and be employed in attacks on the home network