November 11, 2020
What's the issue?
A hacking group is selling access to more than 50,000 hacked home security cameras with additional access to some free footage posted online. The victims are from Singapore, Thailand, South Korea and Canada, and appear to be in various rooms of the home including bedrooms and bathrooms. More than 3 TB (one terabyte (TB) equals 1,000 gigabytes (GB)) of clips have been shared, and there are a number of subscribers who pay for lifetime access. Unfortunately, it’s a story that continues to be more common in today’s world of Internet-connected devices, called IoT, or the Internet of Things.
This incident was first announced in mid-October but has received limited mainstream media attention in Canada. We thought it important to bring it to your attention as this type of breach can have significant personal and professional consequences. While the devastating personal consequences from the impact of a breach of a home device like this are obvious, with so many professionals now working from home the additional privacy and business data risk implications are also significant. Breaching a device connected to the same Wi-Fi network you work on can be a security risk for business information.
While in some previous breaches of a large number of similar or same-brand IoT devices a specific security weakness could be identified, there has been no correlation of evidence so far to determine how the breach of such a large number of devices occurred. Poor user security practices for Internet-connected devices could be at fault, or it may be an unpatched device weakness.
Connected cameras are only the beginning of cyber vulnerabilities. In fact, billions of devices, including smart TVs, smart lights, IP water control systems, smart meters, voice controllers and more are often largely unmanaged and increase risk. Many connected devices have low IT security control and weak encryption capabilities leaving devices vulnerable to potential threats.
Cybersecurity threats ravage individuals and businesses small and large around the globe, bringing with them severe consequences. The FBI IC3 cyber incident reporting center has reported a 300% increase in reported attacks since the COVID-19 pandemic began.
According to a survey in the first quarter, 21% of Canadian companies reported facing cybersecurity incidents over the previous year. StatsCan mentioned that despite the prevalence of cyber crime, most businesses aren’t reporting these incidents.
What should I do?
All connected devices are vulnerable if not correctly secured. We urge you to take action in securing these devices that could put you, your family, or your company at risk.
- Always Change Default Passwords
Device cyber attacks are most often attributed to poor password management. First, change the default password immediately on installation. Next, avoid using simple passwords. Ensure they are at least 14 characters in length. Finally, when offered, use two-factor or multi-factor authentication (2FA or MFA), when offered, for an extra layer of security. 2FA or MFA is adding an additional security step, like a confirming text or email for the change of settings or access to the device or its cloud services.
- Keep Devices Patched and Up to Date
Software updates are important because they often include critical patches to security holes. Yet, we often do not install patches as soon as they are released. As a result, hackers are able to exploit weaknesses in devices by identifying through their connection to the Internet their brand and model, and if they have not been kept up to date.
- Have a Buying Process to Ensure Any Connected Device Is or Can Be Secured
Gravitate to trusted brands with good security track records and capability. Make security a buying consideration. Ensuring your buying practice has the right balance between usability and the ability to mitigate and respond to threats is critical.
- Set A Device Use Policy for Employees
Set a strict device use policy for the home office environment that ensures employees know the risk and that they manage connected devices properly.
- Be Proactive and Identify Devices That May Be at Risk
Analyse and address all Internet-connected devices that are connected to your company, home Wi-Fi or wired networks for potential risk. Keep a list of the devices, the time they were last software updated, checked for any security alerts, and the last time the password was changed.