​Researchers find 5.3 million vulnerable smart devices in Spain

  • Liam Tung (CSO Online)
  • 28 February, 2017 03:37

Researchers at security firm Avast claim to have found millions of vulnerable smart devices in Spain, including 150,000 hackable webcams.

Avast’s research coincides with this week’s Mobile World Congress (MWC) in Barcelona where enabling the Internet of Things is one of the conference’s main themes.

In a keynote today at MWC, Masayoshi Son, chief and chairman of Japan’s SoftBank bullishly predicted it will deliver one trillion ARM chips for connected things over the next 20 years for cars, TVs, and shoes. SoftBank acquired ARM last year for $32bn.

Son has no illusions about the state of security for connected things, telling attendees “there are about 500 ARM chips in a car today and none of them are secure.” He also predicted most attacks will be through hacking connected objects, Reuters reported.

Avast used the Shodan IoT search engine to scan the internet for vulnerable devices in Barcelona and across Spain.

They claim to have found 22,000 “hackable” webcams in Barcelona alone and 150,000 of these across Spain.

In total, they found 5.3 million vulnerable smart devices in Spain, and were able to identify 79,000 were smart kettles and coffee machines.

Avast says it wanted to demonstrate how easy is it is to scan the internet for IP addresses and ports these devices communicate on to discover the type of device is on each address. With further analysis, an attacker can also determine what brand, model, and the software each device is running in order to find exploitable bugs.

Vince Steckler, Avast’s chief, highlighted the privacy risks these devices pose to end users and the secondary threat demonstrated by the Mirai botnet last year. Mirai harnessed 100,000 hijacked IoT devices, such as web cams, to pummel Dyn, a managed service for core internet infrastructure, which in turn prevented millions of people connecting to Twitter, Amazon, Spotify and other popular sites. The malware used a set of around 60 common default passwords to commandeer affected devices.

“If webcams are set to livestream for example, hackers or anyone can connect, making it easy for cybercriminals to spy on innocent Mobile World Congress trade show visitors, or oblivious school pupils, workers or citizens nearby,” said Steckler.

“That in itself is a privacy minefield, although what is far more likely is the possibility of a cybercrook hijacking an insecure webcam, coffee machine or smart TV to turn it into a bot which, as part of a wider botnet, could be used in coordinated attacks on servers to take down major websites. In the future, we could also see cases where cybercriminals harvest personal data, including credit card information from unsuspected IoT users.”