It’s hard to visit a tech website or read a cyber-security trends report without hearing warnings about the risks associated with Internet of Things (IoT) devices. Security researchers have been screaming from the rooftops for a few years now, warning us that our smart thermostats, refrigerators, baby monitors and garage door openers can be exploited by threat actors. These warnings have become so prevalent and so widely received that many of these IoT devices have the reputation of being unsecure or otherwise risky.
Scammers understand this and are starting to prey on our collective distrust of these devices. Last week, several tech websites posted articles about Google Nest owners being targeted in a new sextortion campaign. Sadly, sextortion is not a Tinder date with a contortionist that went remarkably well. It is far less cool than that. Sextortion is a blackmail technique that involves the claim that someone has obtained an explicit video or photos of the victim and threatens to share it unless money is paid.
A common storyline used in these attacks is that the victim’s webcam has been hacked and the scammers have video of the victim viewing pornography or footage of other bedroom activity. The threat actors almost never have any of the footage they say they have, and the webcams usually are not compromised, but victims often pay the blackmail out of fear of publicly embarrassing themselves or their family.
Researchers at cybersecurity company Mimecast have uncovered a new campaign that started earlier this month and has already targeted almost 2,000 Google Nest users, most of whom were in the United States. This new campaign differs from typical sextortion attacks, as they do not include a link to a bitcoin wallet for the victim to send the ransom to, but rather only claim to have the footage/photos without any mention of their demands.
The initial message contains a password for logging into an external email account which contains an email with a link to a site that features genuine footage downloaded from the Google Nest website. This footage isn’t taken from the victim’s device. Once there, victims are directed to another email inbox, where they are told the footage will be posted within a week, unless the scammers are paid around $550 in Bitcoin or gift cards for Amazon, iTunes, Best Buy or Target.
Mimecast’s head of data science overwatch, Kiri Addison told Computer Weekly that by creating multiple steps, the scammers are “trying to make it harder for people to detect what’s happening”.
As is the case with almost all sextortion campaigns, the hackers conducting these new attacks don’t have the claimed footage of victims. While the security concerns associated with IoT devices are legitimate, Google Nest users can rest assured that this particular campaign is just another scam and these emails should simply be ignored.
Securing IoT Devices
The companies that develop these IoT devices are too often in such a hurry to bring the product to market that they neglect to sufficiently protect the device from potential exploitation by hackers and other threat actors.
In order to reduce your vulnerability, CSO Online provides several tips for securing your smart devices:
- Don’t connect your devices unless you need to
The first step is to consider what functionality you need from the device. Just because your TV or fridge can connect to the internet, doesn’t mean you definitely want to hook it up. Take a good look at the features it offers and learn exactly what internet connectivity brings before you connect.
- Create a separate network
Many Wi-Fi routers support guest networking so that visitors can connect to your network without gaining access to shared files or networked devices. This kind of separation also works well for IoT devices that have questionable security.
- Pick good passwords and a different password for every device
It’s very important to pick strong passwords, but you must also make sure that you pick a different password for every device. If a hacker manages to get one of your passwords, they will typically try it with other services and devices. Reusing passwords is not a good idea. Use a password manager to keep track of all your passwords.
- Turn off Universal Plug and Play (UPnP)
Sadly, UPnP can make routers, printers, cameras and other devices vulnerable to attack. It’s designed to make it easier to network devices without configuration by helping them automatically discover each other. The problem is that hackers can also potentially discover them from beyond your local network because of vulnerabilities in the UPnP protocol. It is best to turn UPnP off completely.
- Make sure you have the latest firmware
If you want to make sure you have the latest security patches and reduce the chances of a successful attack, then you need to keep your firmware fully updated. Vulnerabilities and exploits will be fixed as they emerge, so your IoT devices and your router need to be regularly updated. Automate this wherever possible or set a schedule to check for updates every three months or so.\
- Be wary of cloud services
- Keep personal devices out of the workplace
Don’t take your personal IoT devices to work. There are lots of potential security concerns for wearables. Every enterprise should have a clear BYOD policy, and it’s often a good idea to prohibit personal IoT devices from connecting to the network, or at least limit them to a guest network.
- Track and assess devices
Businesses need to track everything connected to the network and monitor the flow of traffic. Devices need to be assessed to determine the level of access they should have, to keep them fully patched and up to date, and to protect data end-to-end to preserve its integrity. Unknown devices should flag an alert. Understanding which devices are connected and what they’re doing is a prerequisite for proper security.