Your humble refrigerator could be a portal for hackers to take launch online attacks.
That new Internet-connected security camera you just installed may be the next weapon in a hacker’s cyberattack. Or maybe it’s your connected teakettle, or your smart fridge or another one of your web-accessible household gadgets — any of which could be vulnerable to being hacked and used to launch online attacks.
The danger of insecure “Internet of Things” hardware has been obvious since at least 2013, when journalist Kashmir Hill memorably recounted how shetook over the lights and other devices in strangers’ homes (with their permission) by exploiting poorly-configured default settings.
The most likely weapons in the attack? IoT devices “exposed to the Internet and protected with weak or hard-coded passwords,” Krebs wrote ina post about the attack.
Quarantining the threat
After getting his site back online usingGoogle’s Project Shield, an initiative launched to protect journalists and activists from censorship — Krebs urged collective action by Internet providers to quarantine attacks from hacked IoT gear.
DDoS attacks work when hackers exploit vulnerabilities in connected devices, like your thermostat, and conscript them into their army of machines which the hackers can remotely direct to flood websites or other service with requests for information, overwhelming the sites and bringing them offline.
Individual users are unlikely to notice that their devices have beenhacked and enslaved into a botnet, but internet providers can watch for “spoofed” traffic, a telltale sign of an attacker trying to hide a DDoS attempt.
In his post, however, Krebs expressed fear that US internet service providers would pass on the expense of deploying a basic filtering measure calledBCP38 (“BCP” is short for “Best Current Practices,” making a recommendation but not a requirement) to customers.
But one security expert who helps run an ongoing test of which providers and hosts deploy this screening said the picture wasn’t as bleak.
She added, though, that some providers seem to let too many spoofed packets through, calling out Frontier Communications (FTR) asone outlier.
Frontier spokesman Peter DePasquale said in an e-mail that the Norwalk, Conn., firm has BCP38 screening in place in the Fios fiber-optic markets it bought from Verizon in recent years and plans to extend that to its DSL markets.
Curing the disease
But it’s not enough for Internet providers to raise shields around their subscribers.
“There are plenty of attacks that do not rely on forging source IP addresses,” wrote Tod Beardsley, senior security research manager atRapid7. Even sending legitimate requests for information to websites from millions of compromised devices “would be enough of a stick to wield against most sites.”
And the people who own those hacked devices won’t know what’s going on until all that outbound traffic being directed by hackers starts to bog down their web connection. Or if the creep who hacked their smart-home hub starts toying with their lighting or heating.
“There is not even a way in general for an end user to discover whether a given device is hacked,” Claffy said. But getting customers to fix the underlying fault can be another issue.
Security researcher Matt Tait, who twitter handle is PwnAllTheThings, gave the example of a compromised camera: “Users here will have to either manually change the credentials on their IoT camera, or return the device to the store.” Would you like to coach a relative through this debugging exercise over the phone?
The ultimate fix must come from device manufacturers themselves. As Tait said, IoT gadgets have to arrive with secure default settings — no more passwords like “admin” or the ever-popular “password” — and the ability to update their own code securely and automatically.
“Decades of experience has shown that we can’t rely on software having zero exploitable vulnerabilities in them when sold,” he said.
I’m sure this January will bring a new round of smart-home pitches. And I’m also sure that I’ll be even more skeptical of them than I was at the start of this year. You should be too.
