IoT devices pose security threat in HK

 IoT devices pose security threat in HK As more IoT devices are deployed for business or consumer uses, they are increasingly vulnerable to hacker attacks. They are expected to be a potential security threat in Hong Kong this year. Security experts call for better protection and best practices to enhance the security of those products.

According to the Hong Kong Security Watch Report released by Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) in January, the number of botnet security events was 4,656 in the fourth quarter of 2016, up 77% from the third quarter of the same year. The top botnet was Mirai, accounting for 41% of the total number of botnet events.

IoT botnet attacks

Mirai malware was a big IoT hacking outbreak in 2016, which targeted vulnerable IoT devices like IP cameras and home routers. The infected IoT devices formed a botnet that had launched a massive distributed denial of service (DDoS) attack on major websites globally. 100,000 IoT devices were compromised by Mirai.

According to HKCERT, since its first outbreak last October till last month, Mirai had infected around 2,000 connected devices in Hong Kong.

The infected devices included IP cameras and digital video recorders that are vulnerable to cyber attacks. Many of those devices were not patched, and equipped only with weak passwords that can be cracked easily.

HKCERT views IoT hacking as one of the potential cybercrime threat trends in 2017. Other cybercrime threats will come from ransomware and website hacking.

“IoT devices can be a jumping board for leaking user passwords or breaching other devices. Cybercriminals can control them to attack corporate or home networks,” said Wally Wong, consultant of HKCERT at the “Build a Secure Cyberspace” seminar last month.

Speaking at the same seminar, Dicky Wong of the cyber security and technology crime bureau (CSTCB) at the Hong Kong Police Force shares the same sentiment.

“Though we did not receive IoT incident reports so far, we see it as a potential threat in Hong Kong. As IoT is one of the elements in the Government’s smart city blueprint, IoT devices may be a potential target for hackers,” said Wong, detective senior inspector of police at CSTCB.

Apart from the continuous collaboration with HKCERT and OGCIO, Wong said his bureau has also cooperated with local IoT device vendors to share information about IoT threats.

To minimize the risk of IoT devices being hacked, security experts believe IoT devices can be protected at their design stage, by adopting international security evaluation standards and the application of an IoT security framework.

Securing IoT devices at design stage

The safety of IoT devices can be started from the design stage, making security an integral component of products rather than adding in security at the final stages of manufacturing.

“It’s better to involve the designers, engineers and users and maybe regulators if appropriate. Products should be shipped with security by default, ” said HKCERT’s Wong.

Before purchasing an IoT device, users have to understand whether the device’s admin password can be changed, security patches can be updated and data transfer will be encrypted.

“You may not have the chance to change or update anything after the purchase,” he noted.