The Grinch 2.0
In this article ITC’s Kevin Whelan, CTO and author of Threat of the Week, conveys a very seasonal warning.
Down in Google-ville
Liked Christmas a lot
Previously the Grinch (2.0, recently released) did not
However, during his time inside
The Grinch saw the changes and made up his mind
It was no longer required to break into houses
And physically steal the parcels and sweets
Let alone carry them back to the mountain retreat
It transpires the Goos had done something silly
And instead of going shopping whilst chilly
Had purchased their gifts for family and friends
On online portals for next day delivery
As well as sharing all of their data
The Goos gifted products were totally connected
To the unregulated cloud and the Internet Of Things
Turns out, they were not protected
So rather than burgle everyone’s houses
The Grinch and his friends just sat there with mouses
Taking advantage of default settings and more besides
To exfiltrate data and take the Goos for a ride.
(With apologies to the good Dr Seuss)
Christmas time is a very opportunistic time for the criminal fraternity. From card scams on busy high streets on ‘Black Friday’, seemingly now extended to ‘Black Friday onwards’ to fraudulent online sites robbing people on ‘Cyber Monday’, the Christmas purchasing rush is the very sort of chaos and confusion that can be exploited by criminal gangs, many of whom have been planning their moves for eleven months or more.
When you consider that so many gifts this year will be ‘connected’, as in ‘to the ‘Internet’, from kids toys such as dolls, remote control Star Wars toys, fitness wearables, and for the soon to be divorced ‘giver’, thermostatic, lighting or at the far end of the spectrum, antenna controlling hardware, it should be a very real concern that there is no regulation about the default security settings of any of this.
Come Christmas morning, little Johnny will need to have his ‘insert any new toy or game here’ connected to the house WiFi and will be fighting with little sister Jane, setting up her online Ouija board, for the attention of hung-over parents stressed out about the in-laws arrival and the fact they forgot to collect the Turkey.
The fact that all of these devices call home (China mostly), that nobody is sure what data they share to whom and that the default passwords can be abused very easily is a very big worry.
Imagine. You can connect to your fridge from your phone and Jane can do Ouija from the pub as you hide from your family with very few configuration steps.
And all the time, Alexa, Siri and the mind bogglingly annoying Bixby are probably listening.
Be careful about connecting stuff to your home network, even if you have a massive hangover and can’t deal with the fight. Always change the default passwords.
Avoid Grinch 2.0