Copying and distributing are prohibited without permission of the publisher
How cyber criminals hijack smart devices
12 February 2017
If the communications industry takes too long to address security, cyber criminals will have time to start to take full advantage of a glaring weakness in their defences, writes Elad Ben-Meir
The internet of things (IoT), the internet of autonomous
connected devices, has been utilised in a variety of scenarios.
One such is to enhance the security in commercial premises of
all kinds. Linking devices such as security cameras and digital
entry systems in real time has so far safeguarded banks,
boardrooms and every other type of office premises.
But those very devices are now at risk of being turned against
building occupants. The recent Dyn distributed denial of
service (DDoS) attack that hijacked an estimated 100,000 smart
devices highlighted the vulnerability of such devices to a mass
What most people do not realise is that such devices can just
as easily be hacked individually, enabling cyber criminals to
target specific buildings and their occupants. A large city
office occupied by a financial institution will, for example,
use hundreds, possibly thousands, of devices ranging from
security cameras to entry systems.
These are not always secured and most can, therefore, be hacked
by organised criminals wanting to break into a bank's system to
gain access to its cash or simply to carry out industrial
espionage by spying on all the firm's activities, essentially
opening up another (physical) attack vector for attacking a
Research carried out by cyber security company CyberInt and its
partner, IoT security company SecuriThings, shows that
surveillance and security devices also typically have weak
default password protection and other vulnerabilities as some
of these devices were never designed to resist a determined
Corporate offices occupied by banks, legal firms, accountancy
practices and others are wide open to many new forms of cyber
attacks and cyber espionage. There is now a realm of unknown
future attacks, some of which are currently already being
planned by enterprising cyber criminals who are now only too
aware of this newly emerging vulnerability in corporate
The most obvious form of non-distributed IoT attack would be to
hack into security cameras for purposes of industrial
espionage. For example, discreet mounted digital video and
audio recorders are now routinely used inside office buildings,
guarding inner sanctums such as boardrooms or research
facilities. These devices can be hacked relatively easily,
enabling criminals and business rivals from virtually anywhere
in the world to steal business critical intelligence.
Spying on staff members can also be used to facilitate a
socially engineered attack where vulnerable or disgruntled
employees are targeted with a view to blackmailing, bribing or
otherwise coercing them into giving the cyber criminals
unauthorised access to sensitive corporate data.
It has long been the case that "insider" attacks of this nature
are the soft underbelly of corporate security. Monitoring what
takes place in offices and what conversations take behind
closed doors would effectively put organised cyber criminals at
the heart of an organisation they had targeted This could
comprise critical business intelligence such as product
designs, business strategies or provide the criminals access to
It is also possible to hack into entry systems and other
connected security devices in order to gain access to premises
housing data networks and computer terminals in order to make
physical entry for the purpose of compromising the target
organisation’s entire database.
It is clear that cities such as London house thousands, perhaps
millions of smart devices which are increasingly being
connected to the Internet and can therefore be harnessed in a
mass DDoS attack, such as that suffered by Dyn, or targeted
But what is not yet entirely clear is where the responsibility
in securing these devices lies. Should this fall to the
occupant or to the property company which provides the office
infrastructure in the first place or to the makers and
suppliers of smart security devices?
As yet, there is no legislation requiring the manufacturers of
the rapidly growing number of smart devices to incorporate any
type of cyber security features into their products and
property developers and buildings are still largely ignorant of
If the communications industry takes too long to address this
question, cyber criminals will have time to start to take full
advantage of what is now a glaring weakness in their security
Nor does the hacker have to be particularly skilled as the kind
of software needed to hijack smart devices is now widely
available online. The Dyn attack, for instance, used a
well-known malware called Mirai, which is Japanese for "the
Companies which do not wish to have their sensitive customer
information hijacked, their product designs and business
strategies stolen or their bank accounts emptied should lose
little time in extending cyber security well beyond its
traditional perimeters to include the vast number of connected
devices which now sit unprotected and vulnerable to all types
of cyber attack.
Elad Ben Meir is VP of marketing at cyber security firm
To continue reading this article, please register for an extended free trial by going to the box below. If you are already a subscriber or a trialist, please log in...
Already have an account?
Subscribers have unlimited access to all current and archive content. Start your
subscription today - click on the button below.
Taking a free trial will give you access to all of Global Telecoms Business(possibly excluding some surveys and articles).
Registration is quick. Start your free extended trial today.