Old devices are often an easy target for cybercriminals, especially if they have exploitable vulnerabilities and no fixes are available due to their end-of-life, experts at global digital security company ESET warn.
Hacking old or vulnerable devices is a problem, but why would anyone try to hack devices that are no longer supported or running outdated software? To take control? To spy on people? The answer is not simple.
The end is near – for your device
There is a time when a device becomes obsolete, either because it becomes too slow, or because its owner buys a new one, or because it lacks functionality compared to modern devices, with the manufacturer turning its attention to a new model and presents the old one. one as an end-of-life (EOL) device.
In this phase, manufacturers stop marketing, selling or providing parts, service or software updates for the product. This can mean many things, but from our perspective, it means that the security of the device is no longer properly supported, leaving the end user vulnerable, says Márk Szabó from the ESET team.
After the end of the support, the cybercriminals start to gain the upper hand. Devices such as cameras, video conferencing systems, routers and smart locks have operating systems or firmware that, when they become outdated, no longer receive security updates, leaving the door open to hacking or other malicious uses.
According to estimates, there are about 17 billion IoT (Internet of Things) devices in the world – from cameras to smart TVs – and this number is constantly growing. We assume that a third of them will be considered obsolete in five years. That would mean that more than 5.6 billion devices could be vulnerable – not immediately, but as support ends, the probability increases.
Too often, these vulnerable devices can end up as part of a botnet – a network of devices turned into zombies at the command of a hacker.
One man’s trash, another man’s treasure
A good example of a botnet exploiting vulnerable IoT devices was Mozi. This botnet was known for hacking hundreds of thousands of Internet-connected devices every year. Once compromised, these devices were used for various malicious activities, such as stealing data and delivering malware loads. The botnet was very persistent and capable of rapid expansion, but was neutralized in 2023.
Exploiting vulnerabilities in a device like an IoT camera could allow an attacker to use it as a surveillance tool and spy on you and your family. Remote cybercriminals could take over vulnerable cameras connected to the Internet once their IP addresses are revealed, without first gaining access to the cameras or knowing their passwords. The list of vulnerable IoT devices is long, with manufacturers not taking up the task of patching – indeed, this is not possible when a manufacturer has gone out of business.
Why would someone use an old device that even the manufacturer doesn’t support? Whether it is a lack of information or a reluctance to buy a new product, the reasons can be many and logical. However, this does not mean that these devices should be in use – especially when they have stopped receiving security updates.
Alternatively, why not give them a new purpose?
Old devices, new uses
Due to the abundance of IoT devices has been a new trend: the repurposing of old devices for new uses. For example, turning your old iPad into a home control device, or using an old phone as a digital frame or GPS in the car. The possibilities are many, but even in this case you have to consider the issue of security – these electronic devices should not be connected to the internet because of their vulnerable nature.
On the other hand, getting rid of an old discarded device is not a good idea from a security perspective. In addition to the environmental angle of avoiding pollution, old devices can contain troves of confidential information collected during their life.
Again, unsupported devices can end up as zombies in a botnet – a network of compromised devices controlled by an attacker and used for malicious purposes. These zombie devices are most often used for distributed denial of service (DDoS) attacks.
Botnets can cause a lot of damage, and it often takes a coalition (often consisting of law enforcement from several countries working with cyber security authorities and vendors) to neutralize or disrupt a botnet, as in the case of the Emotet botnet. However, botnets are very resilient and could respawn after a disruption, causing more incidents.
Smart world, smart criminals and zombies
There is much more that can be said about how smart devices offer more opportunities for fraudsters to take advantage of unsuspecting users and businesses.
The bottom line is that you should always keep your devices updated, and when that’s not possible, try to safely retire (deleting old data), replace them with a new device after a safe retirement, or use them for a new purpose.
Old devices can become an easy target for cybercriminals, so keeping them disconnected from the internet or stopping their use, you can feel safe and protected from any harm through them says ESET.