Connected gadgets are sure to show up under Christmas trees next month but Australians are still well behind the curve when it comes to securing them, one technologist has warned as new survey results suggest that many users still can’t pick out a phishing email – and that 4 in 5 users have no idea their home Wi-Fi networks have the potential to be compromised.
A poor perception of the real risks of security, regular sharing of passwords and a perception that online fraud and bullying are more likely than their equivalents in the real world were all common threads throughout Symantec’s 2016 Norton Cybersecurity Insights Report, which surveyed nearly 21,000 online users in 21 countries, including 1005 in Australia.
Those users confessed to relatively slack security habits around their home networks, with 26 percent of Australians saying they had no protective measures in place for their connected home devices and 41 percent saying there aren’t enough connected device users to make them a worthwhile target for hackers.
This misinformation persists even as hackers actively scour the Internet for vulnerable devices – particularly those whose default passwords remain unchanged – that they can use to breach networks, launch crippling distributed denial of service (DDoS) attacks, or potentially cause real-world damage.
The potential damage from such attacks should be pushing home users to at least try to keep their devices from being commandeered – but experience is proving otherwise, Symantec technology strategist for information security Mark Shaw told CSO Australia.
“These are threats that are affecting Australian consumers but simple practices aren’t being taken to try and mitigate some of that risk,” he said, arguing that consumers needed to stop thinking of connected devices as being field-ready and recognise that they bring new vulnerabilities that conventional consumer products simply do not have.
The devices “are meant to be like any commodity out there in that you go out, buy it, and then use it,” Shaw said. “But there is clearly a difference and consumers really need to consider that their new security cameras, web cams, wearable technology, and toys all have IP addresses – and therefore represent a new attack vector for cybercriminals.”
The problem is likely to persist for some time: 62 percent of respondents wrongly believed that connected devices were designed with online security in mind, and only 34 percent said it was risky to leave connected home devices unprotected.
Yet IoT devices were only one area where users are proving to be falling short on device security: many were not only not protecting their devices by changing default passwords, but also actively compromising their security by sharing passwords with other people. Some 35 percent of millennials in the survey said they do so – a result that is strikingly similar to the 40 percent of millennials that said they had experienced cybercrime in the past year.
Equally worrying was the finding that nearly 30 percent of respondents could not detect a phishing attack and 13 percent have to guess whether a message is real or a phishing email. Some 13 percent said they had taken a compromising action such as clicking links on a phishing email or responding with personal details.
Consumers’ Wi-Fi habits suggested yet another broadly insecure risk vector, with 87 percent of consumers saying they have in-home Wi-Fi but only 66 percent saying it was risky to leave those networks unprotected and just 22 percent saying it’s likely that their networks have the potential to be compromised.
Given that phishing is the most common attack vector for cybercriminals, this ongoing lack of security leaves consumers wide open to exploitation. And while protection from DDoS attacks remains “perhaps the domain of larger businesses that can afford to get that through carriers or specialised providers”, Shaw said, consumers should still be working to minimise their exposure to the rising tide of device-driven cybercrime.
“Consumers are ultimately going to be impacted,” he said, by actions such as the efforts of a gamer that tried to bring down the PlayStation Network and ended up disrupting much of the United States Internet in the now-infamous Dyn attack.
“I can’t see it changing any time soon,” Shaw warned while encouraging consumers to do what they can to avoid becoming part of such a botnet. “It’s not an easy issue to deal with, and we can’t patch their OS or use security tools to remove malware; these are devices that we don’t have that same level of access to. They have a long shelf life, and that means they’re going to be a problem that’s hard to pin down for some time.”
Volumes of connected devices are expected to soar this Christmas buying season, with the smart-toy segment pegged by Juniper Research at $US2.8 billion ($A3.77b) in 2015 and expected to grow to $US11.3 billion ($A15.2b) by 2020 as the toys get smarter and more engaging. Security firm Akamai, for one, recently warned consumers to expect a sharp uptick in device-driven DDoS attacks between this week’s Thanksgiving holiday and the Christmas-New Year period.