With my internet of things camera, I always feel like somebody’s watching me
Security cameras have been an early – and continuing hit – in the internet of things revolution of always-connected homes and businesses. After all, the ability to remotely and affordably watch what is going on at your place is a very attractive proposition. But who is watching? Researchers have shown that you are not the only one following that security camera’s activity – hackers are watching too.
“Just an interesting” statistic? Not quite
Security is at the top of the IoT shopping list – and cameras are a big part of that. Gartner, a leading research and consulting firm, estimated that the total number of connected devices could hit 8.4 billion in 2017, a big jump of 31% from 2016. That count puts the number of these devices well over that of the 7.5 billion people inhabiting the earth – not just an interesting statistic.
Insecure by design
A significant number of internet of things devices – including CCTV cameras – are insecure by design. It’s not even possible to make some of them more secure as they’ve been made with hard-coded account names and passwords that can’t be changed. This approach transforms “security” into a big vulnerability just waiting to be exploited. Many devices also skip the basic security practice of inviting the user to change settings when using the device for the first time. But even when it’s possible to change passwords, people would rather not. It’s like changing your WiFi settings – given a choice, you’d rather not step into the mess.
Here comes the flood
In the past, researchers have found multiple cases of specific IoT cameras being hacked and subverted. But, these have been largely individual occurrences – a specific device or an individual network.
The launch of Mirai changed this situation dramatically. This malware scans the internet looking for online devices which are “protected” only by the default settings. Once it finds these devices, they are enslaved into a botnet – ready to do the evil overlord’s commands. As described by KrebsonSecurity, this botnet’s “Hit List” includes nearly seventy username and password combinations used by manufacturers – and some companies use the same default settings across their entire product lineup.
Hello teacher, what’s a DDoS
Normally, the internet works with a basic student-teacher relationship: student asks a question, teacher answers. When more students have questions, they need to wait their turn – and there is a bit of a slowdown. But with a DDoS (Distributed Denial of Service) attack with Mirai, the evil overlord gets an entire stadium full of online devices and directs them to pester the teacher with nonstop queries until the teacher or school collapses from the strain.
Mirai gives the internet a harsh lesson
After enslaving thousands, perhaps millions, of devices into its botnet, Mirai unleashed the largest DDoS attack yet seen in the history of the internet. The October 2016 attack against Dyn disrupted internet access across much of the US. It also potentially created a liability for some internet service providers when Dyn discovered them to be housing devices in this botnet. And for regular people owning those hacked devices? It’s not clear yet how things will change once these attacks would multiply. Will internet service providers consider penalizing their customers for their devices’ misdeeds?
Security starts at home
The first paradox from the Dyn attack is that it was largely caused by little-unsecured devices such as CCTV cameras. The second paradox is that it is almost impossible for you to know if your devices are secure or have been forced into a botnet army. At the moment, the only way to know is to search online for any issues connected to that particular model or manufacturer. For white-labeled devices – made by one manufacturer, but sold under a variety of brand names – the true identity can be buried deep under the cover.
Have a mindful experience while shopping for your next internet of things device. Have you considered securing the network, not just connecting smart devices to it? After all, you would not want your new camera to be caught launching the next biggest DDoS attack in history.