A New Threat in Smart Home IoT Networks

Article By : Nitin Dahad

Malicious advertising can attack smart home IoT devices, without even having to click on an advert.

Until this week, I hadn’t heard about malvertising, or malicious advertising, and less so about its potential to attack internet of things (IoT) devices in your smart home network. Since I do write about IoT, cybersecurity, and smart homes, a report indicating that a criminal gang from Eastern Europe had attacked IoT devices in the home using malvertising made me dig deeper.

I wanted to understand how a display on my smart electricity meter might become a victim of an attack. My limited knowledge of malvertising made me think it’s only a problem if you click on an advert on a web site. But it turns out that no click is even necessary, so it can easily affect a smart energy meter or other connected device in the home, like security cameras, locks and entertainment devices.

Malvertising spreads malware through the injection of malicious code into online display ads via online advertising networks, exposing user networks and connected devices to the potential risk of infection. Advertising networks are generally unaware they are serving malicious content, and in the attacks revealed by GeoEdge, a mobile advertising cybersecurity company, users targeted with the attack aren’t even required to click on the infected ad or navigate to a malicious page to initiate the attack on home network devices.

smart home attack_ss

GeoEdge said it had uncovered a global-scale malvertising attack, the first ad-based cybercrime aimed specifically at home-network based IoT devices. Its security research team, which has been investigating the malvertising attack on smart home IoT devices since mid-June 2021, identified both the attack vector as well its origins from bad actors in Slovenia and Ukraine.

It added that the widely distributed attack vector is the first to use online advertising to silently install apps on home Wi-Fi connected IoT devices, and only requires that hackers possess a basic understanding of device API documentation, some JavaScript knowledge and rudimentary online advertising skills. Given that market research firms like IoT Analytics forecast more than 30 billion IoT device connections worldwide by 2025, this makes home and industrial IoT an extremely attractive and vulnerable opportunity for malvertiser attacks.

The impacts of the broad IoT attack revealed in GeoEdge’s research include the ability to manipulate IoT devices, download apps without users’ consent, and risks theft of personal information and monetary instruments as well as tampering with home systems such as smart locks and surveillance cameras. To block such attacks, GeoEdge notes that antivirus apps and even firewalls are not sufficient, making it necessary to continuously block infected ads in real-time to prevent them from being rendered and presented to users (which I presume is its case for selling its software).

I posed the question to GeoEdge about the scale of the attack. The company’s CEO, Amnon Siev, said, “At this point, we cannot disclose quantitative figures, graphs or examples of devices showing the attack yet as this is still an ongoing effort we are working on in collaboration with the device’s company. What we can share at this point is that your IoT devices are exposed to malvertising. They can be installed with applications you didn’t ask for, can be accessed from afar by malvertisers. And this is all the result of a malicious ad which was showcased to the user on his secured home network.”

All he was able to say is that the origin of the attack was an Eastern European criminal ring, and that they are using programmatic advertising as a distribution channel for the attack, because it’s inexpensive and easy to deploy. The company partnered with adtech (advertising technology) firms InMobi and Verve Group to carry out the research. Siev commented, “With the collaboration between InMobi and Verve, we exposed the origin, infrastructure and global scale of these attacks. This joint mission is built on trust and a deep understanding of the threat landscape which has enabled us to create a new standard for user protection.”

So, the moral of the story is that even if you think you know about IoT security and have taken appropriate measures to secure your connected home devices (such as ensuring strong passwords) it may not be enough. There are likely to be plenty of other ways which we may not necessarily think of for an attacker to break into your smart home network. And malvertising is just one of them.

This article was originally published on EE Times.

Nitin Dahad is a correspondent for EE Times, EE Times Europe and also Editor-in-Chief of embedded.com. With 35 years in the electronics industry, he’s had many different roles: from engineer to journalist, and from entrepreneur to startup mentor and government advisor. He was part of the startup team that launched 32-bit microprocessor company ARC International in the US in the late 1990s and took it public, and co-founder of The Chilli, which influenced much of the tech startup scene in the early 2000s. He’s also worked with many of the big names—including National Semiconductor, GEC Plessey Semiconductors, Dialog Semiconductor and Marconi Instruments.


Subscribe to Newsletter

Leave a comment