That new Internet-connected security camera you just installed may be the next weapon in a hacker’s cyberattack. Or maybe it’s your connected teakettle, or your smart fridge or another one of your web-accessible household gadgets — any of which could be vulnerable to being hacked and used to launch online attacks.
The danger of insecure “Internet of Things” hardware has been obvious since at least 2013, when journalist Kashmir Hill memorably recounted how she took over the lights and other devices in strangers’ homes (with their permission) by exploiting poorly-configured default settings.
Unfortunately, connected devices haven’t gotten much more secure since then — a 2015 study by HP Enterprise found that six out of 10 popular IoT gadgets had vulnerabilities that could be exploited by hackers. That risk became a reality two weeks ago when cybersecurity reporter, and my onetime Washington Post colleague, Brian Krebs had his site forced offline by a sustained, massive distributed-denial-of-service (DDoS) attack.
The most likely weapons in the attack? IoT devices “exposed to the Internet and protected with weak or hard-coded passwords,” Krebs wrote in a post about the attack.
Quarantining the threat
After getting his site back online using Google’s Project Shield, an initiative launched to protect journalists and activists from censorship — Krebs urged collective action by Internet providers to quarantine attacks from hacked IoT gear.
DDoS attacks work when hackers exploit vulnerabilities in connected devices, like your thermostat, and conscript them into their army of machines which the hackers can remotely direct to flood websites or other service with requests for information, overwhelming the sites and bringing them offline.
Individual users are unlikely to notice that their devices have been hacked and enslaved into a botnet, but internet providers can watch for “spoofed” traffic, a telltale sign of an attacker trying to hide a DDoS attempt.
In his post, however, Krebs expressed fear that US internet service providers would pass on the expense of deploying a basic filtering measure called BCP38 (“BCP” is short for “Best Current Practices,” making a recommendation but not a requirement) to customers.
But one security expert who helps run an ongoing test of which providers and hosts deploy this screening said the picture wasn’t as bleak.
Recent tests of US providers by the Center for Applied Internet Data Analysis’ (CAIDA) Spoofer Project found that AT&T (T), Comcast (CMCSA) and Verizon (VZ) all generally caught and blocked spoofed traffic.
“Based on the available data, the largest US consumer internet providers are doing a pretty good job,” wrote Kimberly Claffy, founder and director of the Center for Applied Internet Data Analysis (CAIDA), a research group based at the University of California’s San Diego Supercomputer Center.
Frontier spokesman Peter DePasquale said in an e-mail that the Norwalk, Conn., firm has BCP38 screening in place in the Fios fiber-optic markets it bought from Verizon in recent years and plans to extend that to its DSL markets.
Curing the disease
But it’s not enough for Internet providers to raise shields around their subscribers.
“There are plenty of attacks that do not rely on forging source IP addresses,” wrote Tod Beardsley, senior security research manager at Rapid7. Even sending legitimate requests for information to websites from millions of compromised devices “would be enough of a stick to wield against most sites.”
And the people who own those hacked devices won’t know what’s going on until all that outbound traffic being directed by hackers starts to bog down their web connection. Or if the creep who hacked their smart-home hub starts toying with their lighting or heating.
“There is not even a way in general for an end user to discover whether a given device is hacked,” Claffy said. But getting customers to fix the underlying fault can be another issue.
Security researcher Matt Tait, who twitter handle is PwnAllTheThings, gave the example of a compromised camera: “Users here will have to either manually change the credentials on their IoT camera, or return the device to the store.” Would you like to coach a relative through this debugging exercise over the phone?
The ultimate fix must come from device manufacturers themselves. As Tait said, IoT gadgets have to arrive with secure default settings — no more passwords like “admin” or the ever-popular “password” — and the ability to update their own code securely and automatically.
“Decades of experience has shown that we can’t rely on software having zero exploitable vulnerabilities in them when sold,” he said.
But “free and automatic security fixes for life” is a tough sales pitch for any company to make. Google (GOOG) can brag about how automatic patches for its OnHub WiFi routers keep customers’ networks secure, but a company as big as Samsung wasn’t ready to promise any set period of bug fixes for its Family Hub smart refrigerator at its CES unveiling this January.
I’m sure this January will bring a new round of smart-home pitches. And I’m also sure that I’ll be even more skeptical of them than I was at the start of this year. You should be too.
More from Rob:
Your silly emojis are going to court