Avast revealed the findings of its research experiment into smart devices, including public and private webcam vulnerabilities in Spain, and, specifically, in Barcelona.

Avast identified more than 22,000 webcams and baby monitors in the city that are vulnerable to attack, which means that cybercriminals could livestream the videos directly to the Internet. The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, coffee machines, garage doors, fridges, thermostats and other IP-connected devices – that are connected to the internet and vulnerable to attacks.

In the experiment, Avast found:

More than 5.3 million vulnerable smart devices in Spain, and more than 493,000 in Barcelona

More than 150,000 hackable webcams in Spain and more than 22,000 in Barcelona

More than 79,000 vulnerable smart kettles and coffee machines in Spain

More than 444,000 devices in Spain using the Telnet network protocol, which is a type of protocol that has been abused to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of Internet sites like Twitter, Amazon, Reddit, etc.

Conducted in partnership with IoT search engine Shodan.io, the experiment proves just how easy it is for anyone – including cybercriminals – to scan IP addresses and ports over the Internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.

“With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable,” comments Vince Steckler, CEO at Avast. “And even if the devices are password protected, hackers often gain access by trying out the most common user names and passwords until they crack it.”

Invasion of privacy

As webcams and other devices are vulnerable, there are a range of security, legal and privacy concerns to be addressed. Snoopers could easily access and watch Mobile World Congress visitors and Barcelona residents in private and public spaces, and stream the video directly to the internet, or turn the device into a bot.

Smart device manufacturers also collect and store private user data, including behavioral data, contact information, and credit card details, which poses an additional risk if intercepted by cybercriminals. And while the problem is in no way confined to Barcelona, Spain, or indeed to webcams, it is particularly challenging for the city as it is hosting thousands of mobile and technology industry executives at Mobile World Congress 2017 this week.

From infection to attack

With hundreds or thousands of vulnerable devices, cybercriminals can create a botnet to attack and take down servers and websites. When a device is infected, it can also be used to infect other devices, to add them to a botnet, or to take control over them and do harm to their owner. This includes kitchen and other household devices, to which cybercriminals can give remote orders, for example, to heat up water in a kettle.