I have to admit that in mid-October, when I first read that hackers using a malware code have now the capability of infecting vulnerable internet-connected home devices such as my smart kettle, it brought a smile to my face.
The more I researched however the less amusing it appeared to be. The code used is in fact now capable of assembling a ghost army operating in waves of thousands of hacked web connected smart devices used every day. Smart gadgets including those probably never thought to be at risk by anyone suddenly emerged as front runners in the creation of this newly identified threat. The list includes items such as baby monitors, digital TV recorders, smart connected home devices like ovens and kettles, home lighting systems and a long list of gadgets which can be operated remotely by owners using mobile phones and tablets especially when away from the home or business premises. Among this list are alarm and CCTV systems now widely used by consumers everywhere especially in countries like ours and the USA.
Warnings
The alert was given in mid-October after one of the largest cyber attacks identified which involved web-connected home internet devices disrupting some of the most widely used websites such as Airbnb, PayPal, Twitter and Netflix and allegedly some sites hosted by the internet giant Amazon. The so-called ghost army receive instructions via the attacked devices to bombard popular websites with hundreds of thousands of junk orientated messages which essentially overpowers the websites and simply knocks them offline. The cyber genies have effectively skipped across the so called ‘cloud’ on a rainbow whilst the watchmen have been taking a nap.
Kick off
While the experts involved in the aftermath of the attack estimate some 500,000 devices were hacked and used in the attack came mainly from the USA, the products infected were believed to be of Chinese origin with easily identified passwords and user codes. This type of attack described by experts as a Distributed Denial of Service (DDoS) is where a website is systematically swamped by junk messages sent by hacked devices.It was initially targeted against a US company called DYN which acts as a switchboard for internet traffic for a vast client base of direct users wishing to gain access to the world’s most used websites. It appears the initial attack came only hours after a researcher for DYN had given a much publicised presentation in Texas on cyber criminals and specifically on DDoS. The presidential election in the USA has raised the profile of internet hacking and alerted everyone to the problems associated with emails and the practice of user reliance on factory default user names and passwords on web enabled home devices including security systems.
Cyber centre
It was interesting to read that even before the attack the National Cyber Security Centre, the UK Government’s newly formed organisation which is in fact part of the GCHQ had issued a warning to the cyber industry that they had identified evidence that less technically capable hackers were now able to use a code known as Mirail to quickly build networks of colonised devices. This malware already had been programmed to guess at least 68 user names and their password combinations. This in itself opens up another new channel for opportunist cyber criminals who will exploit the holes in the security firewall to steal data and commit online fraud. The identification of how easy it is to remotely exploit household appliances and security systems and the ease with which they can be accessed, will spur on those engaged in cyber crime to search out methods to turn this into rich rewards.
Smartphone
According to research published by Visa in October, payments being made by smartphones and tablets including wearables has tripled since 2015, a rise from 18 per cent to 54pc by consumers regularly making payments with their smart enabled device. As consumers drive the need for more flexibility the vulnerability of the payment system is being exposed so it is not surprising for us to learn that mobile phone payment fraud is surging along with internet enabled crime. According to Visa 75pc of consumers believe that a two factor authentication, for example biometrics used with a password is sufficiently secure for payment made by mobile devices. I wish I had their faith. Whilst Deloitte maintained this year that 21pc of all UK smartphone users are now using fingerprint authentication for a variety of applications, including approving transactions the fact remains technically the security controls and the tools available are very much still evolving. Experts in this field point out that the mobile payment systems rely on a wireless carrier infrastructure which was not originally designed with security in mind.
While consumers are continually reminded about ensuring their devices are securely protected and however sophisticated anti-fraud mobile payment technology becomes the hackers are going to be ahead of the game. There is no shortage of security technology whether it is fingerprint scanning, pincode, biometrics, voice recognition, facial recognition or even retinal scanning; the problem remains to get consumers to use it effectively. Phone hacking is nothing new but with increased usage and dependability by consumers and businesses alike the reliance on such devices come with a greater risk especially in relation to privacy, fraud and crime.
