Canadians are being urged to think twice before plugging in cheap internet-connected devices, as cyber officials warn a growing number of smart products may already be compromised and helping criminals hide their activities online.
The threat, known as “BadBox,” is a botnet – a network of infected internet-connected devices controlled by cyber criminals – that can turn everyday household electronics into tools for fraud, scams and other cybercrime.
Bridget Walshe, associate head of the Canadian Centre for Cyber Security, said the issue affects so-called “internet of things” devices, including smart thermostats, refrigerators, lighting controllers and other products connected to home or business networks.
“Those are products that bring a lot of convenience, but are products that come with risk,” Walshe said in an interview with CTV News Channel Wednesday. “ Last year, when (we saw) the BadBox really spiking, there were up to 60,000 infections in Canada.”
Walshe said officials have already identified at least 30,000 infections in Canada so far this month, though she noted authorities are still counting.
What is a botnet?
A botnet is a collection of compromised devices that hackers use to conceal their identity and activities online.
Walshe said cyber criminals often gain access to devices through weak passwords, outdated software or vulnerabilities built into poorly secured products.
“They log into the device, they access it, and they use it to pretend and to make what they’re doing look like it’s coming from that home network or that small business network,” she said.
The tactic can make it harder for authorities to trace criminal activity back to the perpetrators.
“These sorts of actors online are conducting harm, they’re conducting criminal activities,” Walshe said. “They might be sending fraudulent messages to dupe people into scams, they might be stealing information from others.”
What should consumers do?
Walshe said consumers should be cautious when buying low-cost smart devices online, particularly products from unfamiliar sellers or manufacturers.
“You might be thinking you’re getting a great deal if you’re buying a device that seems too good to be true,” she said. “Maybe it is.”
She encouraged consumers to research products before purchasing them and ask whether devices receive software updates and ongoing support.
Experts also recommend changing default passwords, enabling security updates and reviewing online product reviews before connecting devices to home networks.
What if your device is infected?
Walshe said internet providers or law enforcement may sometimes notify households or businesses if a device on their network appears to be linked to a botnet.
“If you are ever contacted by your telecommunications company … do engage with the telco, take the device offline, bring it down,” she said.
Walshe said removing infected devices from networks can help reduce the size and effectiveness of botnets.
She added that cybersecurity risks are not limited to smart appliances alone and can also stem from weak passwords or poor network security practices more broadly.
“Think about when you buy these things, not just about ‘is this the right thing to buy?’ but ‘how do I set it up?’” Walshe said.
The Canadian Centre for Cyber Security provides advice for securing smart devices and home networks through its Get Cyber Safe program.
