Ask Arthur: Can my appliances be hacked?

Q: I’ve heard that anything from washing machines to electric toothbrushes can be hacked. Is it true? And why would hackers be interested in my smart alarm or my toothbrush?

A: It’s funny you should ask, as we are currently trying out a cutting-edge electric toothbrush. However, one must see the threat in context. Any device connected to the Internet, typically part of what is called the Internet of Things, in which devices exchange information with each other, can be hacked, if there is no security layer built in.

Why would someone hack your fridge or toothbrush? Simple: if they can take control of enough devices, they can use those, in turn, as “botnets” to stage vast cyber-attacks on important systems, websites or other targets. These are known as DDoS attacks, for Distributed Denial of Service, typically intended to bring down a website or system by bombarding it with such a high intensity of requests, it cannot cope.

Exactly that happened in Switzerland recently, with the Swiss newspaper Aargauer Zeitung reporting that cybercriminals had infected 3-million smart toothbrushes with malware to carry out a massive DDoS attack on a Swiss company, taking it offline for several hours and costing millions of euros in damages.

According to network security provider Netscout, its Threat Intelligence Team has identified a sudden increase in device activity since the end of last year, signalling “a new weaponisation of the cloud against the global internet, representing the beginning of a threatening new wave of cybercrime”.

However, much of this can be put down to lack of security in such systems, says Christopher Conrad, senior threat intelligence analyst at Netscout.

“Our increasingly interconnected world has seen a rapid surge in the number of IoT devices used in business and public services. These devices often have poor security, so cybercriminals can easily compromise them with botnet malware and use them to remotely launch a range of cyberattacks including DDoS attacks.

“According to Netscout’s latest DDoS Threat Intelligence Report, nearly 8-million DDoS attacks were launched during the first half of 2023 – a 30.5% increase compared to 1H 2022. Among these attacks, adversaries are predominantly deploying IoT botnets to target enterprises and other types of endpoint networks, but also state and local governments.

“Ultimately, IoT devices are designed for convenience, cost effectiveness and profit, and several vendors put that ahead of security. It’s often left to the end user to bolt on instead of being baked in. You still see several major vendors use built-in backdoors, hard coded credentials, or rely on the end user to change a password instead of forcing it at first setup. To top that all off, several IoT devices do not auto update, so old vulnerabilities stay in place for longer than they should. Having limited built-in security, makes them vulnerable to attacks like botnet recruitment.”

For the consumer, the entry point to a smart device is via the app that controls it, if there is no authentication, security or protection built in or activated. Make sure that the app is , at the very least, password protected. Having anti-malware protection on your smartphone will also go a long way to protecting connected devices.

Email security provider Mimecast recommends the following steps to prevent botnet attacks, mainly via computers:

• Keep Software and Operating Systems Up to Date: Software vendors often release patches for vulnerabilities that botnets can exploit.
• Use Antivirus Software: Antivirus software can detect and remove malware that is used to create botnets. 
• Be Cautious When Opening Email Attachments or Clicking on Links: Phishing emails are a common way for botnets to spread, and email security is key to botnet prevention. 
• Disable Unnecessary Services: If a service is not being used, it’s best to disable it.
• Use a Firewall: A firewall can help prevent unauthorised access to your device, which can reduce the risk of infection.
• Use Strong Passwords and Multi-Factor Authentication.