2018 will be a year of change: GDPR, threats to the IoT, nation states, feeling increasingly threatened by cryptocurrencies and the Internet giants…
We love our webcams: they have been an early – and continuing – hit in the revolution of the connected smart home. After all, the ability to remotely and affordably watch your dog (or cat; maybe goldfish?), see what’s going on when you’re not at home and remotely view callers at your front door is a very attractive proposition. But who is watching? It may be that you’re not the only one watching your goldfish (or sleeping child); hackers could be watching too.
Gartner, a leading research and consulting firm, estimated that the total number of connected devices could hit 8.4 billion in 2017, a big jump of 31% from 2016. That count puts the number of these devices well over that of the 7.5 billion people inhabiting the earth – not just an interesting statistic. Security is at the top of the IoT must-do list and cameras are a big part of that.
A significant number of IoT devices – including cameras – are insecure by design. It’s not even possible to make some of them more secure as they have hard-coded account names and passwords that can’t be changed. This approach goes against ‘security’; in fact, it’s a big vulnerability just waiting to be exploited. Many devices also skip the basic security practice of inviting the user to change settings when using the device for the first time. But even when it’s possible to change passwords, people would rather not. It’s like changing your WiFi settings – given a choice, you’d rather not step into the mess.
In the past, researchers have found multiple cases of specific IoT cameras being hacked and subverted. But these have been largely individual occurrences – a specific device or an individual network. The launch of Mirai changed this situation dramatically. This malware scans the internet looking for online devices ‘protected’ only by the default settings. Once it finds these devices, they are enslaved into a botnet – ready to do its commands. As described by several authors such as Graham Cluley and KrebsonSecurity, this botnet’s “Hit List” includes numerous default username and password combinations used by manufacturers – and some companies use the same default settings across their entire product lineup.
The botnet then corrupts the normal request-response operation of the internet with a Distributed Denial of Service (DDoS) attack, like the one orchestrated by Mirai. Under normal conditions, as the number of requests increase, operations slow down. Mirai directs a huge number of online devices to make nonstop requests until the target site collapses under the strain.
After enslaving thousands, perhaps millions, of smart home devices into its botnet, Mirai unleashed the largest DDoS attack yet seen in the history of the internet. The October 2016 attack against Dyn disrupted internet access across much of the US. If attacks of this nature become more common, one can only ponder on the potential future implications for internet service providers (ISPs) and their customers – will there be penalties for the fallout that organizations endure as a result of problems caused by insecure devices?
The first paradox from the Dyn attack is that it was largely caused by small unsecured devices such as IoT cameras. The second paradox is that it is almost impossible to know if your devices are secure or have been forced into a botnet army. At the moment, the only way to find out is to search online for any issues connected to that particular model or manufacturer. For white-labeled devices – made by one manufacturer, but sold under a variety of brand names – the true identity can be buried deep under the cover.
A comprehensive approach to mitigate the problem of the vulnerable smart home is to secure the network. This is in contrast to a single-minded focus on securing individual IoT devices. It’s not to say that device security shouldn’t continue to be a priority, but security at the gateway can be particularly effective when the devices are tricky to secure. Gateway level security requires no additional hardware or installation; a software application is installed on routers. The application is easily delivered via those routers or the ISPs, is managed via a simple user interface and automatically secures the connected devices in the home. Router manufacturers and ISPs that safeguard their customers’ connected devices in this way ease the pressure on end users, bolster their own security offering and gain a competitive advantage in the race to stay ahead in the fight against cybercrime.