23rd June 2017
SureCloud Press Release
PRESS RELEASE June 23, 2017 London | SureCloud®, a supplier of Cloud-based Governance, Risk and Compliance (GRC) Applications and Cybersecurity Solutions, recently partnered with the consumer charity Which? to provide expert consultancy services for a feature looking at the security of the internet enabled home.
With estimates suggesting that there will be 75.4 billion internet connected devices by 2025, Which? wanted to conduct a test to see how secure an internet enabled home is, i.e. one with a high number of Internet of Things devices. Which? briefed SureCloud’s Cybersecurity experts to conduct an ethical simulated attack (Red Teaming) against a Which? employee’s home, which was set up with an array of modern IoT (Internet of Things) devices, ranging from a smart toy, to a coffee machine, to a smart-plug.
Commenting on the project, Luke Potter, Cybersecurity Practice Director for SureCloud, said: “The team was provided with only the name of the target, and from this our team set about identifying as much information as they could from online research. Within a few hours they had full details of the individual, including their home address, family and partner details, full employment history, corporate and personal email addresses, and an array of credentials that they had used for online websites including social media accounts – highlighting just how much personal information is legitimately in the public domain.
“Once this information was gathered, the team began to develop a programme of realistic attacks that cyber-criminals would use to phish the target to obtain further credentials and access to their online life, including accounts that were used to manage these various devices. We then developed a further range of attacks that enabled us to provide an in-depth analysis of the gaps that exist in the security of modern internet connected home.”
After the initial crawling of online accounts, SureCloud’s cybersecurity consultants visited the target’s property, performing reconnaissance from outside the house. Following this, SureCloud Cybersecurity experts launched illustrative test attacks. These included creating an order for items using the target’s Amazon Echo by simply shouting through a window and compromising a smart coffee machine by overloading it with boiling water.
Once the local Wi-Fi network key (password) was compromised, the number of attack vectors continued to increase allowing SureCloud to completely control most devices. Finally, the consultants chained attack vectors together; for example, by further developing known vulnerabilities in a smart toy they could listen to all conversations within the home and even speak through the toy remotely.
“All of the tactics we used are ones that cyber-criminals utilise to compromise targets, highlighting the number of gaps that exist in our everyday protections,” continued Potter. “To consumers, there are a few key takeaways. Most critically you must ensure that you have a completely unique password for every single system and service that you use. Additionally, when you are purchasing IoT devices you should properly configure them, including changing passwords and not leaving them in their default state. Finally, if updates are made available by manufacturers of these devices, apply them as quickly as possible.”
Andrew Laughlin, Principal Research, Which? commented: “We had already run security and privacy tests on many smart products as part of our regular reviews. However, this investigation was designed as a snapshot test, enabling us to go much deeper into potential vulnerabilities and expose much broader, more troubling trends. We’ve contacted all of the manufacturers involved in the hack about how to address their vulnerabilities and have worked with SureCloud to develop a guide to preventing such attacks being successful.”
Further details can be found in the following published articles:
Tech trade press: