Avast, yesterday revealed the findings from its latest research experiment into smart devices, where it identified more than 22,000 webcams and baby monitors in the city that are vulnerable to attack.
The Internet of Things (IoT) devices are without authentication, allowing cyber-criminals to livestream the videos directly to the internet.
The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, coffee machines, garage doors, fridges, thermostats and other IP-connected devices – that are connected to the internet and vulnerable to attacks.
As webcams and other devices are vulnerable, there are a range of security, legal and privacy concerns to be addressed.
Snoopers could easily access and watch Mobile World Congress visitors and Barcelona residents in private and public spaces, and stream the video directly to the internet, or turn the device into a bot.
Conducted in partnership with IoT search engine specialists Shodan.io, the experiment proves just how easy it is for anyone – including cyber-criminals – to scan IP addresses and ports over the internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.
With hundreds or thousands of vulnerable devices, cyber-criminals can create a botnet to attack and take down servers and websites. When a device is infected, it can also be used to infect other devices, to add them to a botnet, or to take control over them and do harm to their owner.
This includes kitchen and other household devices, to which cyber-criminals can give remote orders, for example, to heat up water in a kettle.
Smart device manufacturers also collect and store private user data, including behavioural data, contact information, and credit card details, which poses an additional risk if intercepted by cyber-criminals.
"With databases of commonly known device vulnerabilities publicly available, it doesn't take a vast amount of effort and knowledge for cyber-criminals to connect the dots and find out which devices are vulnerable," comments Vince Steckler, CEO at Avast. "And even if the devices are password protected, hackers often gain access by trying out the most common usernames and passwords until they crack it."
Avast's latest research experiment highlights a serious and growing problem which, unless addressed, will only worsen in line with the increasing number of devices connected to the internet.
Vince Steckler, Avast, continues: "If webcams are set to livestream for example, hackers or anyone can connect, making it easy for cyber-criminals to spy on innocent Mobile World Congress trade show visitors, or oblivious school pupils, workers or citizens nearby. That in itself is a privacy minefield, although what is far more likely is the possibility of a cyber-crook hijacking an insecure webcam, coffee machine or smart TV to turn it into a bot which, as part of a wider botnet, could be used in coordinated attacks on servers to take down major websites. In the future, we could also see cases where cyber-criminals harvest personal data, including credit card information from unsuspected IoT users."