Just a voice command to change the lighting, turn the device on or off, open the house door. The Internet of Things (IoT) guarantees convenience, but these devices that are permanently connected to the Internet require digital security.
“These are devices that are widely used, but we don’t worry about them very much. And they are the ones that cause the most security breaches,” says Daniel Damito, computer network expert at Sage Networks, which specializes in offering solutions against DDoS attacks, attacks that it tries to ‘bring down’ the service by generating more traffic than the server can handle. .
According to him, basic and already widespread procedures greatly reduce vulnerability. The first is to have secure passwords. “Never keep the factory default, like ‘admin,’ the password 1234,” he says.
Another recommendation is to use a manager. “The password is not made to be remembered, there are managers that have the function of storing it in an encrypted and secure way so that you don’t have to remember it,” says Damito. It also recommends two-step authentication, which requires a password and another confirmation for access, such as sending an email or text to a mobile phone, for example.
Updates specified by the manufacturer are also essential so that the equipment is not vulnerable. “Devices have software or firmware, programs that perform their tasks, and when a manufacturer offers an update, the reason may be a security hole that has been found and fixed.”
Damito also explains that all these devices have a protocol called UPnP (universal plug and play), which allows connecting between them in a Wi-Fi network without the need for manual configuration. An example is the functionality that mirrors the mobile phone screen to the TV with one click.
This convenience is not always combined with security, since an attacker can identify holes to locate the router and connect using the protocol, allowing him to access the network. It is recommended that you always configure connections individually.
According to Marcos Simplício, from the Laboratory of Architecture and Computer Networks, at USP (University of São Paulo), IoT devices have a lower computing capacity than mobile phones and computers. Therefore, it is technically more difficult for an attacker to get data directly from light bulbs, smart TVs, locks and more. However, there are risks. In the case of routers, you need to be more careful.
“It’s hard to steal data by hacking a wireless router, but it’s easy to redirect it elsewhere. You, for example, may think you’re going to your bank’s website, but you’re on a fake website and your data could be stolen.” , he explains.
As of 2020, Anatel (National Telecommunications Agency) specifies that carriers must require routers to change their default password when they are installed on a loan basis.
In addition to leaving data exposed to theft in a type of attack known as “phishing” (using fake messages to obtain information such as bank passwords and user documents), neglecting to protect IoT devices can allow your equipment to be used by intruders. malicious purposes.
“An attacker can, for example, specialize in a certain model of smart light bulb, find a loophole, confirm that he can mine cryptocurrency and attack all light bulbs of that model in the world, creating a supercomputer with your energy, without you even suspecting it,” says João Marcos Moretti Pelissari, director of Plss Soluções em Ti, a company specialized in servers and network structures. Based in Ponta Grossa, Paraná. This is possible because all connected devices have the ability to process data.
Therefore, keeping the default username and password is risky, as it will likely be the attacker’s first attempt. The target, therefore, is not only your home, but all users who have not changed the default password, according to the expert. These are so-called “brute-force attacks”, with multiple user attempts and likely passwords.
Experts pointed out that unprotected devices are also a medium used for Denial of Service (DDoS) attacks. They use the processing power of these devices to overload and crash servers, leaving schools, hospitals and municipalities without Internet access and paralyzing services.
The hack even allows remote access to it. Pelissari warns that this creates the possibility of equipment being stolen, although this is something that is not well documented at the moment. A criminal can render the device inoperable or alter the device’s functionality — for example, lock the air conditioner’s temperature and demand a ransom to stop the attack.
For the President of the Security Committee at Abinco (Brazilian Association for the Internet of Things) and Director of Consumer Security for Latin America at Ericsson, Yanis Stoyannis, it is necessary for the manufacturers of IoT solutions to take a stance on security and data protection. concept of each project, called “security and privacy by design”.
“Although there is no mandatory application, according to her, the National Plan for the Internet of Things, which was created by the Ministry of Science, Technology and Innovation in 2019, encourages the “adoption of international security standards”.
For Rubens Rosado, Technical Advisor at Abiluma (Brazilian Association of Manufacturers and Importers of Lighting Products), security issues are related to unprotected Wi-Fi, not smart bulbs.
“If the network does not have good protection, such as an encryption system for the data circulating on it and a strong password for access, your data will be easily exposed,” he said.
Anatel stated that it has prepared a study “to define a minimum set of mandatory cybersecurity requirements for equipment certification” and that it will soon conduct a public consultation on the subject.
the role of the consumer
For researcher at ITS Rio (Instituto de Tecnologia e Sociedade) Lucas Cabral, the user plays an important role in ensuring internet security.
“I realize there’s a lack of digital literacy, a bigger concern. People generally don’t have that digital awareness,” he says.
In addition to protecting against intruders, he warns that you must also be aware of the authorization to use the data, creating your own privacy setting. For this, it is important to observe what information each device captures.
“Connected the smart bulb, go to the settings tab of the app, click on privacy and read what it saves [de informação]what you can configure, what you can customize, what data they record.”
The LGPD (General Data Protection Act) guarantees the rights of the user and companies can only use the data that he approves. However, Cabral reminds that many give authorizations without paying attention to the details.
How to maintain your home without hacking
In general, the same safety recommendations apply to all devices:
1) Give preference to equipment with a good reputation and certification
2) Use a strong password for each device and change it often
3) Perform privacy settings before turning on the device
4) Always do manufacturer recommended updates
Understand how they work and learn about the main risks of “smart” equipment that connects the home to the Internet:
What it does: IoT devices are connected to the cloud, which are online servers that process information. When a command is given by mobile phone or voice, it goes to the cloud where it is processed and only then returns to the device to perform the requested task, generating traffic and telemetry data that is permanently online.
What risk does it offer: Cloud owns the data of all devices. If it is attacked, it can disrupt the operation of all devices
What it does: receives and sends data from the device to the Internet
What risk does it offer: it is the most sensitive equipment on the home network. Information from all connected devices passes through it. If hacked, it gives access to everything connected to the network. Among the risks is the redirection of access to fraudulent websites
What it does: used to give commands to other connected devices
What a risk it offers: may expose private information without authorization. An example is allowing an intruder to hear what is going on in your home
What it does: allows you to open the door with a password, biometrics or voice command
What a risk it offers: it can be hacked and data captured. Lower quality equipment can be vulnerable to voice simulators that allow criminals to open it
What it does: Provides an internet connection to watch streams, use search engines, games, music and other IoT devices
What risk does it offer: may expose personal information. TVs with camera and microphone can be started remotely
What it does: enables remote activation, change of brightness intensity, change of tonality. Some models have a built-in camera and enable “Li-Fi” data transfer
What risk does it offer: it can be used to order attacks on servers and even mine cryptocurrencies. If attacked, they can be activated remotely and, in the case of models with a camera, display captured images
What it does: they work with DVR (Digital Video Recorder) and NVR (Network Video Recorder), connected equipment that manages camera surveillance systems
What risk does it offer: the main risk is privacy. Poorly protected equipment can be attacked and allow access to images. It can also be disabled remotely
What it does: enable remote control of devices
What risk does it offer: may enable remote activation and damage equipment
Washing machine / Air conditioner / Vacuum cleaner / Refrigerator
What it does: are traditional ‘white line’ devices that, in the most advanced versions, enable connection to the Internet
What kind of risk does it offer: they can be misfired by an attacker who can crash, disable, and use them in home network attacks