Your home might be secretly carrying out cyberattacks
As millions of ordinary home products connect to the internet, malicious hackers are finding new ways of聽exploiting security weaknesses in connected digital聽video recorders, cameras,聽and refrigerators.
Now, it appears that they've discovered how to聽turn聽tens of thousands聽of those insecure devices into massive聽botnets, which are collections of malware-infected computers. They're finding ways to take down聽websites with distributed denial of service, or DDoS, attacks designed to overload them with traffic.聽
Basically, your everyday appliances could be weapons in a cyberattack without you even knowing.聽
Two websites taken down by relentless DDoS attacks in recent weeks drew attention to the dangers of the next-generation聽botnets 鈥 and the fragilities of the so-called Internet of Things (IoT), the phenomenon of connecting everything from home lighting聽to聽security systems to the internet.
In the attack on聽蝉别肠耻谤颈迟测听blogger Brian Krebs, for instance, hackers harnessed the power of what is believed to be hundreds of thousands of聽hacked internet-connected devices 鈥 such as digital video recorders, home routers, and connected security cameras 鈥 to take down his site.聽
The attack on Mr. Krebs generated more than 600 gigabits per second of traffic.聽There was another attack on a leading French internet聽service provider, involving a massive 1 Terabit per second volume.聽
This is staggering. By contrast, the median DDoS attack last quarter generated about 3.8 gigabits of traffic, according to Akamai Technologies, a company that helps businesses divert large DDoS attacks.
The reason IoT devices are so vulnerable is because security in these many of these devices is聽almost nonexistent, say many security experts.聽Manufactures of devices such as DVRs and have given little thought to the security implications of allowing their devices to connect to the internet, they say.
Security just isn't聽a priority, says Elias Manousos, cofounder at RiskIQ, a cybersecurity firm. "The business model is focused on building and selling as many units as possible," he says.
"Because these devices are hardware, they are not easy to update and the firmware becomes more and more out of date the longer they sit on shelves," Mr. Manousos says. "Hackers can easily exploit these devices since known vulnerabilities never get fixed."
Analyst firm Gartner Inc. that there will be an astounding 6.4 billion connected "things" in use worldwide by the end of this year, up 30 percent from last year. By 2020, Gartner estimates the number will reach 20.8 billion. Many of these IoT devices will be in connected cars and in equipment, facilities, and machinery that businesses use.聽
But consumer uses will represent a vast majority of connected things, Gartner says. This year for instance, nearly 4 billion of all IoT devices will be those designed for consumer use. The number will rise to over 13 billion by 2020.
The recent attacks highlighted one way attackers could benefit from insecure IoT devices. But there are other risks, as well. A vulnerable IoT device can give attackers an entry point into the home or corporate network. "The risk depends heavily on the type of IoT device," says Brian Russell, chair of the Cloud Security Alliance IoT Working Group.
"For example, a consumer IoT device that ships with flaws might expose private information or conversations within a household," Mr. Russell says. "An IoT device that is installed in a hospital might expose sensitive medical information."
Similarly, a faulty network enabled component in a connected car could cause the vehicle to crash or an implantable medical device could stop functioning properly because of a security glitch, he said. "It's clear that IoT devices often suffer from basic security issues."
Consumers can help alleviate some of the risks by taking some fundamental precautions like changing the default username and password on a device before connecting it to the Internet. The malicious code used in the Krebs attack, for instance, hunted for systems with stock usernames and passwords.聽
"[But] it's not just up to consumers to help keep IoT devices secure," Russell says. "Security starts at the development level. IoT manufacturers need to聽engineer security into their product at every level of the development cycle. Changing passwords only goes so far."
