The doll was supposed to be “internet safe,” but it ended up being banned in Germany as a bugging device. During the 8th Annual Cybersecurity Summit, powered by FICO, two security experts showed just how easy it was to hack into the doll.
“Because she has no PIN on Bluetooth, anyone can connect to her within 30 or 40 feet. So, she’s essentially a bugging device, and that’s how the Germans look at her,” said Tim Luck, a consultant at Pen Test Partners.
Pen Test Partners discussed four different ways the Cayla doll could be hacked to either listen in or “speak” inappropriate content. The doll was not the only device on stage that was shown to be hackable. There was also a “smart” tea kettle and a smartwatch to help parents monitor their children – both hackable with a little effort and some specialist knowledge.
All the devices show a growing trend in cybersecurity: How do we make the internet of Things (IoT) – smart devices that are connected to the internet – more secure against increasingly sophisticated cyberattacks?
“The security of these devices is not strong, at least, not yet,” said Ed Cabrera, chief cybersecurity officer at Trend Micro. “You don’t have to break out the big tools to be able to get in. It’s a growth area.”
Cabrera mentioned how IoT devices could be taken over by hackers and made to serve them as part of a botnet. Once hacked, a cybercriminal could use a large group of these devices arrayed in a botnet to mine cryptocurrency, turning a stranger’s IoT device’s computing power into personal profit.
“These devices are wide open on the internet,” he said.
According to Cabrera, hackers also attack and gain control of IoT devices to:
- Make the devices join a (DDOS) attack to take down a corporate or government website.
- Cover a hacker’s true web address by using the IoT device’s address instead (using a “proxy server”) to launch attacks.
- Record private audio/video via webcams, smartphones, or other devices. Content which could be monetized by cybercriminals using various methods.
The cybersecurity threats associated with the IoT have grabbed the attention of the highest government officials as well, including the Trump administration.
“Every device connected to the internet is a potential entry point for hackers, botnets, and malicious code,” Kevin McAleenan, acting secretary of Homeland Security, said at the Summit. “Tools for launching cyberattacks are becoming increasingly available, lowering the degree of technical knowledge required for would-be adversaries.”
Findings solutions won’t be easy, but Cabrera offered some suggestions for manufacturers and others to improve IoT security. He said that companies have to start with security requirements, understand their IoT vulnerabilities, and “build a strategy backwards from that.” He also recommended pre-emptively reaching out to the government and academia to help share and learn best practices.
Christopher Roberti, senior vice president for Cyber, Intelligence, and Security Policy at the U.S. Chamber of Commerce, said that one of the key ways of boosting IoT security is to have industry standards. The Chamber joined the Council to Secure the Digital Economy to develop a set of consensus core capability baselines for IoT devices.
“The consensus baselines of this group, plus NIST’s similar work, are a quality starting point for device security,” Roberti said. “We believe that policymakers need to match industry’s leadership concerning IoT standards, development, device security, and resilience.”
In the end, as resourceful as cybercriminals are, many talented people are working on the other side to ensure IoT devices in homes, businesses, and schools remain secure.
“On the upside, in 2019, there is much greater awareness of the cyber threat than there was eight years ago,” McAleenan said. “There’s a lot more work to do. If an organization hasn’t invested in cybersecurity… because of lack of awareness or resources, let’s work to close that gap together. And if an organization has mature cybersecurity protections, then I encourage them to assist other less mature organizations – in their sectors, in their supply chains – to improve the cyber hygiene around them because it can affect all of us.”