Published on 02 Sep 2019

Updated on 08 Oct 2019

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


Our society is increasingly connected; the lines between physical and digital worlds increasingly blurred. This is in no small part due to the Internet of Things – the vast network of everyday devices that are connected to the Internet, and can communicate with each other without human intervention.

Today, the Internet of Things, or IoT for short, extends to our homes (think: baby monitors, refrigerators, coffee machines); offices (security cameras, air conditioning, communication tools); and across a multitude of industries such as healthcare, transportation, and manufacturing.

This can bring about significant benefits, such as improved efficiency, safety and cost. For example, IoT devices enable doctors to remotely monitor patients’ health; automatically alert personnel in event of fire or gas leaks; and even help us turn on the air conditioning so we arrive to a cool home.


Rise of IoT Technology

The IoT landscape is rapidly expanding. In 2018, there were an estimated 11.2 billion connected devices. By the year 2020, this number is projected to more than double.

This rapid growth comes with cybersecurity risks. The vast proliferation of connected devices exponentially increases the attack surface for potential cyber-attacks. To compound the issue, the industry is mostly unregulated. Most IoT manufacturers focus on producing cheap, functional products without a security-by-design approach; consumers, too, seldom consider security in their purchase decisions. As a result, many IoT devices often go unpatched, unmonitored and unsecured.


Hijacked IoT Devices

Unsecured IoT devices can be exploited by hackers to turn against their users in sinister and surprising ways.

In December 2018, a family in Texas heard a stranger’s voice sprouting expletives in their baby’s room. The suspected home invasion turned out to be a cyber-attack: a hacker had hijacked their Nest baby monitor and used it to issue the threats. In a similar case in January 2019, a security camera in a family’s living room in San Francisco was hijacked, and used to broadcast a hoax nuclear alert that North Korea had fired missiles to the US.

In both cases, the IoT devices were hijacked by hackers using stolen passwords from previously compromised accounts

Read on by clicking on the story below:

Unauthorised network access

Although IoT devices are becoming ubiquitous, digital security company Gemalto estimated that less than half (48%) of businesses are able to detect if their IoT devices suffers a breach. This makes IoT devices a vulnerable entry point that malicious actors can take advantage of to gain entry connected systems, and compromise sensitive information within.

One of the more innovative breaches took place in 2017, when hackers used an Internet-connected fish tank to steal data from an unnamed casino in the US. The fish tank contained IoT sensors that helped to regulate the temperature, food and cleanliness of the tank. Unfortunately, the tank was unsecured and connected to the rest of the casino’s network. Hackers were able to exploit a vulnerability in the device to gain a foothold into the casino’s network, to illegally access and copy the casino’s high-roller database of customers.

Read on by clicking on the story below:

“Botnet of Things”

Infected IoT devices can be used to propagate malware, and amassed by attackers into large networks of compromised devices (or botnet) to target Internet infrastructure.

One of the infamous botnets is associated with the Mirai malware, which infects vulnerable IoT devices through a list of 60 default usernames and passwords. Like a digital zombie horde, these compromised devices will identify and infect others. Although they may appear to function normally, at the backend, attackers are able to marshal the bandwidth of hundreds of thousands of these devices against a target, to carry out distributed denial of service (DDoS) attacks.

Originally created by a Rutgers University student to bring down rival servers of popular video game Minecraft, Mirai botnets (made open-source by its creators) have been used to inflict some of the most damaging DDoS attacks. In October 2016, a Mirai botnet carried out a DDoS attack against Domain Name System provider Dyn. The attack disrupted Internet connections across the North America and Europe, to major sites like Amazon, Netflix and Paypal. In a separate incident, DDoS attacks linked to compromised customer IoT devices such as routers and webcams brought down Starhub’s broadband network in October 2016.

As the number of unsecured IoT devices continue to grow, so does the risk posed by IoT botnets – DDoS protection firm NexusGuard found that an increasing number of DDoS attacks in 2018 stemmed from the growing “botnet of things”.

Read on by clicking on the story below:


What can we do to secure our IoT devices?

These are some basic steps we can take to safeguard our IoT devices and networks:

  1. Check for software updates regularly and install them: Install firmware updates; consider enabling automatic updates for operating systems.

  2. Turn off remote access to Internet-connected devices like cameras and printers.

  3. Change all device passwords so you don’t have defaults: many devices come with pre-configured usernames and passwords such as “admin” and “password” respectively. These can be easily guessed by hackers and malware such as Mirai.

  4. Scan your network for security holes: Advanced users can use tools such as Nmap to identify vulnerabilities before attackers do.

SOURCES INCLUDE: CSOOnline, DarkTrace, Gartner, Gemalto, Krebs on Security, NexusGuard, NBC News, New York Times, The Straits Times, Washington Post and Wired