Smart TVs And Not-so-smart Travellers
Travellers are becoming increasingly vulnerable to cyber attacks, yet safe cyber practices are often overlooked when interacting with shared technologies.
Share This Article:
Recently, having begun travelling for work again, I have been staying in various locations and during some downtime thought I would turn on the ubiquitous smart TV and see what is on the tube.
As I roamed through the channels across several TVs at different locations, one thing struck me — every device that I used had accounts signed in from previous travellers.
This may not sound like such a big deal until you realise the amount of information I was able to glean from previous occupants of the accommodation.
Before explaining the nuances of travelling and interacting with shared technologies, it is important to be mindful of these vulnerabilities when travelling, even at your place of stay. In my case, I either reset the TVs to their default settings or sign out the users from the TV in an act of white hattery.
In summary, I was able to discover:
- Email Address
- First Name/Last Name
- Google Contacts
- Financial Information
- Likes and preferences
- Products purchased or reviewed
- Direct App access (via the device).
This information as a start for an Open Source Intelligence (OSINT) activity is a treasure trove allowing anyone, with some very simple Googling, to work out a great deal about the person who had inadvertently signed into the Smart TV. Now, this may not seem significant until we look at previous examples of where Advanced Persistent Threats (APTs) have used these tactics to compromise hotel Wi-Fi networks for high-value targets.
Advanced Persistent Threats
Here, we should discuss what an APT is. It is defined as “a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period”. Looking at historical incidents, it is not difficult to see how groups could form to participate in any criminal category such as information theft, financial crime or other malicious activities.
It is important to understand these types of groups who have greater sophistication, particularly if you or your company is operating in critical infrastructure verticals, deemed to be a high-value target or hold sensitive information that relates to key industries such as Government or Defence.
The rise of APT groups has seen an increase in the way that companies are managing the security postures of executives — even non-executive travellers going overseas to high-risk countries are provided with advice from known bodies providing specific instructions and recommendations.
DarkHotel – An example from the past
The case of a well-known APT and malware DarkHotel was first detailed by the cyber security company Kaspersky in their November 2014 report, where they were known to target various types of organisations ranging from Government, Military, Energy, Medical and Manufacturing.
The main method of infiltration of DarkHotel was through Wi-Fi networks in luxury hotels. Using zero-day exploits in popular products allowed the exploitation of the target via malicious documents, scripting, service manipulation, registry exploits and the use of command-and-control servers.
It is not a stretch to think that actors with this level of sophistication would compromise Smart TVs or other devices to gain information. In the case of DarkHotel, it seems that individuals and delegations of visitors were targeted and every device that was part of the delegation was attempted to be compromised.
Tips for travellers
Below are some simple tips that travellers can utilise when travelling for work, which will assist with ensuring that staff stay cyber-safe:
- Rely on “burner” or cheap disposable devices in high-risk countries
- Avoid travelling with work devices, if possible, particularly in high-risk countries
- If unavoidable, issue a freshly formatted device and wipe it on return before connecting back to the network
- Ensure corporate IT teams are advised where and when staff are travelling for work
- Avoid leaving devices unattended or unlocked
- Avoid sharing your location on social media
- Always disable Wireless and Bluetooth when not in use
- Avoid public Wi-Fi and USB charging stations
- Avoid doing work in public spaces where staff can be ‘shoulder surfed’ or manually compromised
- Avoid using unknown USB keys
- Do not take information or devices you do not need
- Avoid signing into smart televisions and other devices with personal account details
- Ensure all devices are updated prior to travel.
Education is the key
Most Boards and Executive teams are briefed regarding their responsibilities when travelling overseas, however, I have witnessed C-Level executives from high-risk organisations take sensitive work devices through high-risk countries without precautions, simply ‘accepting the risk’. It is important to keep reinforcing the education of these high-risk behaviours at all levels of the business and any risk acceptance should be formally documented.
Aside from the more technical and strategic approaches, our team can also provide training, staff testing, and ongoing assurance of process to ensure your staff can travel safely and your organisation’s sensitive data remains secure. For employees that need AGSVA security clearances, Anchoram also offers vetting in addition to our industry-leading insider threat services.
Please do not hesitate to contact any of the Anchoram team if you need actionable, people-focused training and advisory services.
Travellers are becoming increasingly vulnerable to cyber attacks, yet safe cyber practices are often overlooked when interacting with shared technologies.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.