Can a cybercriminal now even use a toothbrush to launch a DDoS attack?
According to the Swiss newspaper Aargauer Zeitung, around three million smart toothbrushes were hijacked by cybercriminals to launch a DDoS (Distributed Denial of Service) attack.
A host of small, everyday malicious objects reportedly put a Swiss company out of action for several hours, causing millions of euros in damage.
The news aroused a considerable amount of concern, and many people, including experts, expressed doubts about its accuracy. Eventually the same security firm Fortinet, which had helped to lend the story credence, admitted that there had been some confusion and stated that
“The topic of toothbrushes used for DDoS attacks was presented during an interview as an illustration of a certain type of attack, and is not based on research by Fortinet or FortiGuard Labs. It seems that… the narrative on this topic has grown legs, to the point of confusing hypothetical scenarios with real ones.”.
So the story was not true, but it has turned the spotlight back to the risk that any smart object in our daily lives could become an element of risk. And yes, this is a very real hypothesis.
We are talking about IoT: Internet of Things, a system that connects various technological tools to artificial intelligence and which, of course, travels on the web.
It is a revolution that affects people in their individual spheres, as well as in their professional dimension. In fact, the adoption of IoT systems is also continuously growing in organisations, particularly in building automation, the automotive sector, and healthcare.
It is a constantly evolving process that paves the way for an infinite number of possible applications and that, especially when the 5G network is widespread, will manage many aspects of our lives. It is a fascinating and convenient prospect, but one that also involves great risks, given that the risk is proportional to the use of the internet connection.
A recent report by Palo Alto Networks showed that 57% of IoT devices are vulnerable to medium- or high-severity attacks, and 41% of attacks suffered by smart buildings exploit the vulnerabilities of these devices.
For hackers, in fact, it is very interesting and profitable to directly target IoT systems, which include a large number of devices that are full of extremely interesting data: features, configurations and valuable information. It must also be said that the operation of IoT devices in structures such as commercial buildings, data centres, hospitals, ports or schools can quickly transform into a complex and interconnected set of technology that is difficult to manage and supervise at the IT level.
For hackers, there is more profit in targeting companies or organisations. These organisations, if attacked, risk blocking the operating systems of buildings, losing permits or insurance coverage, or risk finding themselves in situations that can have an impact on safety, such as the shutdown of surveillance and access control systems.
In addition to all this, we should also consider the fact that smart devices are often, especially when likened to computers and smartphones, much less advanced from the point of view of technological defences and could be used as Trojan horses to infiltrate networks.
In short, they represent perfect prey for cyber criminals.
How can you protect yourself from a DDoS attack?
- Always make sure that the device software is updated to the latest version because, as the experts say, “you can never update things enough“.
- Do not use products that are no longer supported by their manufacturers and can no longer be updated.
- Disable functions that are not needed. If, for example, the microphone or webcam is not used on the smart TV, it is better to deactivate them and reactivate them only if necessary. Avoid providing information related to credit cards and electronic wallets, if there are no automatic payment transactions to be made.
- Always pay attention to personal, confidential or even sensitive data – “special data,” according to the definition provided by the GDPR – which are acquired and shared on the network by the device.
- When your configuration allows it, always set up an encrypted connection. Be wary of devices that do not allow such communication and that transfer “clear” information.
- Replace default passwords with strong passwords that contain combinations of alphanumeric, uppercase and lowercase characters and numbers. It is important to create combinations that are difficult to guess.
- Change some default manufacturer settings, when this is possible, such as the name under which that device appears on the network or the communication port.
- Be careful not to leave portable devices unattended. Theft of these could result in the loss of personal data, especially if access to the device is not adequately protected.
- For home devices, it should be borne in mind that these connect to the network using the router, to which they will connect, in most cases, using the Wi-Fi system.
Always remember the importance of configuring your home router to customise the configuration set by the manufacturer or network service provider.
An essential measure, for example, is to change the login credentials, especially the password. - Finally, be aware of maintenance.
There is a tendency in this particular market to continually release new models, and this leads many manufacturers to not maintain the older models. Periodic online searches, with reference to manufacturers’ sites, can help check if updates and support are still active. Be wary of any manufacturers that do not have well-structured websites. - Finally, the most important of the protection measures is knowledge and correct digital posture.
Awareness and proper training remain the two most effective weapons to signal to any hacker that their potential victim is ready to put up a good fight. The hackers will therefore be put off, and go looking for other victims and other cracks to slip through.