Until this week, I hadn’t heard about malvertising, or malicious advertising, and less so about its potential to attack internet of things (IoT) devices in your smart home network. Since I do write about IoT, cybersecurity, and smart homes, a report indicating that a criminal gang from Eastern Europe had attacked IoT devices in the home using malvertising made me dig deeper.
I wanted to understand how a display on my smart electricity meter might become a victim of an attack. My limited knowledge of malvertising made me think it’s only a problem if you click on an advert on a web site. But it turns out that no click is even necessary, so it can easily affect a smart energy meter or other connected device in the home, like security cameras, locks and entertainment devices.
Malvertising spreads malware through the injection of malicious code into online display ads via online advertising networks, exposing user networks and connected devices to the potential risk of infection. Advertising networks are generally unaware they are serving malicious content, and in the attacks revealed by GeoEdge, a mobile advertising cybersecurity company, users targeted with the attack aren’t even required to click on the infected ad or navigate to a malicious page to initiate the attack on home network devices.
GeoEdge said it had uncovered a global-scale malvertising attack, the first ad-based cybercrime aimed specifically at home-network based IoT devices. Its security research team, which has been investigating the malvertising attack on smart home IoT devices since mid-June 2021, identified both the attack vector as well its origins from bad actors in Slovenia and Ukraine.
The impacts of the broad IoT attack revealed in GeoEdge’s research include the ability to manipulate IoT devices, download apps without users’ consent, and risks theft of personal information and monetary instruments as well as tampering with home systems such as smart locks and surveillance cameras. To block such attacks, GeoEdge notes that antivirus apps and even firewalls are not sufficient, making it necessary to continuously block infected ads in real-time to prevent them from being rendered and presented to users (which I presume is its case for selling its software).
I posed the question to GeoEdge about the scale of the attack. The company’s CEO, Amnon Siev, said, “At this point, we cannot disclose quantitative figures, graphs or examples of devices showing the attack yet as this is still an ongoing effort we are working on in collaboration with the device’s company. What we can share at this point is that your IoT devices are exposed to malvertising. They can be installed with applications you didn’t ask for, can be accessed from afar by malvertisers. And this is all the result of a malicious ad which was showcased to the user on his secured home network.”
All he was able to say is that the origin of the attack was an Eastern European criminal ring, and that they are using programmatic advertising as a distribution channel for the attack, because it’s inexpensive and easy to deploy. The company partnered with adtech (advertising technology) firms InMobi and Verve Group to carry out the research. Siev commented, “With the collaboration between InMobi and Verve, we exposed the origin, infrastructure and global scale of these attacks. This joint mission is built on trust and a deep understanding of the threat landscape which has enabled us to create a new standard for user protection.”
So, the moral of the story is that even if you think you know about IoT security and have taken appropriate measures to secure your connected home devices (such as ensuring strong passwords) it may not be enough. There are likely to be plenty of other ways which we may not necessarily think of for an attacker to break into your smart home network. And malvertising is just one of them.