Old devices are often an easy target for cybercriminals, especially if they have exploitable vulnerabilities and no fixes are available due to their end-of-life, experts at global digital security company ESET warn.
Hacking old or vulnerable devices is an issue, but why would anyone try to hack devices that are no longer supported or running old software? To gain control? To spy on people? The answer is not simple.
Table of Contents
The end is near – for your device
There comes a time when a device becomes obsolete, either because it becomes too slow, or because its owner buys a new one, or because it lacks features compared to modern devices, with the manufacturer turning its attention to a new model and featuring the old one as an end-of-life (EOL) device.
At this stage, manufacturers stop marketing, selling or providing parts, service or software updates for the product. This can mean many things, but from our perspective, it means that the security of the device is no longer properly supported, leaving the end user vulnerable, says Márk Szabó from the ESET team.
After the end of support, cybercriminals start to gain the upper hand. Devices such as cameras, video conferencing systems, routers and smart locks have operating systems or firmware that, when they become outdated, no longer receive security updates, leaving the door open to hacking or other malicious use.
According to estimates, there are around 17 billion IoT (Internet of Things) devices in the world – from cameras to smart TVs – and this number is constantly growing. Let's assume that a third of them will be considered obsolete in five years. That would mean over 5,6 billion devices could be vulnerable – not immediately, but as support ends, the likelihood would increase.
All too often, these vulnerable devices can end up as parts of a botnet – a network of devices turned into zombies at the command of a hacker.
One man's trash, another man's treasure
A good example of a botnet exploiting vulnerable IoT devices was Mozi. This botnet was notorious for hijacking hundreds of thousands of internet-connected devices every year. Once compromised, these devices were used for various malicious activities such as stealing data and delivering malware payloads. The botnet was very persistent and capable of rapid expansion, but was neutralized in 2023.
Exploiting vulnerabilities in a device like an IoT camera could allow an attacker to use it as a surveillance tool and spy on you and your family. Remote cybercriminals could take over vulnerable Internet-connected cameras once their IP addresses are revealed, without first having access to the camera or knowing its passwords. The list of vulnerable IoT devices is long, with manufacturers not taking on the task of patching – indeed, this is not possible when a manufacturer has gone out of business.
Why would anyone use an old device that even the manufacturer doesn't support? Whether it's a lack of information or reluctance to buy a new product, the reasons can be many and logical. However, this does not mean that these devices should remain in use – especially when they stop receiving security updates.
Alternatively, why not give them a new purpose?
Old devices, new uses
Due to the abundance of IoT devices a new trend has emerged: the repurposing of old devices for new uses. For example, turning your old iPad into a home control device, or using an old phone as a digital picture frame or GPS in the car. The possibilities are many, but even in this case you should again consider the issue of security - these electronic devices should not be connected to the internet due to their vulnerable nature.
On the other hand, getting rid of an old device by throwing it away is not a good idea at all from a security perspective. In addition to the environmental angle of avoiding pollution, old devices can contain troves of confidential information collected during their lifetime.
Again, unsupported devices can end up as zombies in a botnet – a network of compromised devices controlled by an attacker and used for malicious purposes. These zombie devices most often end up being used for distributed denial of service (DDoS) attacks.
Botnets can cause a lot of damage, and it often takes a coalition (often consisting of law enforcement from multiple countries working with cybersecurity authorities and vendors) to neutralize or disrupt a botnet, as in the case of the Emotet botnet. However, botnets are very resilient and could re-emerge after a disruption, causing further incidents.
Smart world, smart criminals and zombies
There is much more that can be said about how smart devices offer more opportunities for fraudsters to take advantage of unsuspecting users and businesses.
The bottom line is that you should always keep your devices up-to-date, and when that's not possible, try to safely retire them (erasing old data), replace them with a new device after a safe retirement, or use them to a new purpose.
Old devices can become an easy target for cybercriminals, so by keeping them disconnected from the internet or stopping their use, you can feel safe and protected from any harm through them says ESET.