For every gleaming new IoT device that hits the market, a hacker somewhere is figuring out how to compromise it. Today, even routine activities can land you in the sights of a bad actor.
Imagine what a bad day could look like in this era of ubiquitous connectivity… it’d play like some dystopian grindhouse film.
What an appropriate way to head into Halloween and conclude Cybersecurity Awareness Month! If you’re ready for a good cyber-scare, let’s look at five real-life scenarios where you’d never expect to get hacked — but just might.
1. Waiting to check out
It’s a busy morning at the grocery store and six people are in line ahead of you. The person in front exclaims she’s lost her credit card, and then apologetically moves toward the back of the line. You find it strangely un-Covid as she brushes by you and other shoppers.
In her hand she holds what appears to be a mobile device.
It’s actually an RFID scanner.
These portable devices are widely available online for around $1,000USD and let the holder read data from RFID chips within a few feet away. Theoretically, a bad actor could enact the above scheme to steal the credit card data of the five people behind her in line.
While this threat makes a great headline and has spawned an entire RFID-protection industry, many experts say it’s not much of a reality — as risks far outweigh rewards. Our fictional RFID skimmer would be caught on security footage and probably featured on the evening news.
At any rate, this scam would only work on first-generation RFID chips, and those are a few years old by now.
2. At the coffee shop
Looking forward to a chill morning answering emails, you grab a secluded spot at your go-to coffee shop and fire up that laptop. You recognize the open public WiFi but, curiously, it directs you to a login page for your Google account.
Weird, but whatever. It’s time to get this morning started. You enter your credentials and get to work.
You’ve just fallen victim to a pineapple router.
These $99USD devices plug right into a hacker’s computer and within a few minutes can be configured to execute a number of attacks. In the sitcom Silicon Valley, we saw pineapples deployed to mimic a website. And in Mr. Robot, they used them for a man-in-the-middle attack, eavesdropping on the FBI.
Pineapple protection is really a matter of paying closer attention to the WiFi networks you use. Open networks that don’t require passwords should be avoided whenever possible.
You should also turn off your device’s WiFi when you aren’t using it, and deactivate the settings to remember frequently used networks and connect automatically. This reduces the chances a pineapple can replace a legit network without you realizing.
3. In the kitchen
Your chill morning at the coffee shop turns into a productive lunch, and by dinner it’s clear you deserve a glass of wine. Pouring a nice red, you scan the display on your IoT wine sleeve, perusing the selection’s acidity and food pairings.
The wine cartridge is almost empty, but c’est la vie. The sleeve will automatically order a new one. This nifty feature is also available on your water filter in the fridge.
Somewhere from the darkest reaches of the web, a hacker also raises a glass. He’s just compromised your home network and is impressed by your taste in wine — and the balance of your checking account.
While the wine sleeve never made it to market, the water filter sure did. IoT devices like these can quickly cough up your sensitive data if a bad actor gets into your home network.
Keep hackers away from your smart devices by creating a secure home network. Keep an eye on the passwords you use for home network and IoT devices alike. If you haven’t already, familiarize yourself with the best practices for password strength.
And, obviously, make sure the passwords are different for your WiFi and all the devices connected to it. (Goes without saying… right?)
4. Going to the bathroom
It’s been a long day. And what better way to wind it down than by brushing away all the coffee and wine that powered your productivity? Good thing you just got that IoT toothbrush.
As you brush, a live feed displays on your mobile device, highlighting your technique and any spots you might’ve missed.
Somewhere, in another, darker reach of the web, a hacker is also evaluating your brush game. It’s not about sensitive data this time, just straight-up creepiness.
As you can imagine, content depicting unsuspecting victims is quite a prize — not just for people who are into that kind of thing, but also bad actors looking to sell it.
Secure these types of devices just like they were that wine sleeve. Lock down your home network, increase password security, and make sure bad habits don’t lay out a welcome mat for hackers.
5. Even in bed
Time to call it a day and do it all over tomorrow. That kind of hustle requires a good night’s sleep, the kind of sleep assured by your smart thermostat. It cools down the room as you crash out, and then raises the temp slightly once you’re asleep, preventing any shivery wakeups.
If you have any doubts this could be a threat, try spending a winter in Finland. By inviting the Internet of Things into your most private space, you risk getting hammered, unawares, by everything from data theft, to voyeurism, to ransomware.
Conclusion: Pay attention when and where you’re connecting
Ever notice how those scary B-movies tend to have a moral? Maybe ours should be this: The promise of a better, more convenient life can make it easier convincing ourselves that risks either don’t exist or have already been addressed on our behalf by someone else.
Here at Sucuri, we’re always preaching that security is a continuous process. Technology gets released, hackers figure out a way to compromise it, and then you figure out a way to stop the hackers. Repeat, ad infinitum.
That’s not to say you should avoid cool-looking IoT devices that could make your life more awesome. This is just a reminder to be conscious of when and where you’re connecting, and then to take the appropriate measure to ensure you’re keeping secure.
Gerson Ruiz
Tony Perez & Daniel Cid
Daniel Cid
David Dede
Krasimir Konov