By now, chances are you’ve probably heard about the massive cyber attack against a major U.S. internet company that occurred on Friday, October 21, 2016.
The DDoS attack brought down large parts of the web and was one of the biggest on record. Now many people are now asking: who was responsible?
Certainly the hackers who launched the attack should take most of the blame. Security researchers are also pointing the finger at device manufacturers who fail to include basic security controls, allowing their devices to be easily hacked and forced to join website-crushing DDoS attacks (such as the one we experienced last Friday). Some have even called for new laws that penalize companies who negligently sell insecure products to consumers.
But what about the consumers themselves – do they bear any responsibility for securing their devices?
The Internet of Things
As consumers continue to buy Internet-connected gadgets like smart doorbells and IP cameras at a rapid pace, the Internet of things (IoT) continues to grow. (Gartner estimates that nearly 6.4 billion connected “things” will be in use by the end of 2016)
Recently, I saw firsthand how the IoT trend is exploding: in the connected home section at my local Best Buy. On full display at the front of the store were smart thermostats, smart lighting, smart baby monitors, “easy setup” security cameras, and more.
A huge variety of “smart” (i.e. “Internet-connected”) devices are now available for purchase. You can even buy a smart door lock for your home, allowing you to unlock your front door (and back door) with any Internet-connected smart phone. (but would you really want to?)
If the 10/21/16 DDoS attack is any indication, a dangerously high number of IoT devices are currently NOT employing even basic security controls.
Why is this a problem?
Because the connection your home IP camera uses to broadcast its signal to your smart phone is the same connection used by hackers to take remote control of your camera (and other connected devices in your home network)
If you don’t change your connected devices’ default username and password (or your router’s default login), it can be trivial for hackers to target and infect your connected IoT devices like security cameras.
In fact, we now know that the recently published (and now widely-available) “Mirai” strain of malware was used in the attack on Friday. Mirai exploited weaknesses in IoT security (and in unchanged default username/password combinations) to take over a range of consumer-grade IP cameras and other “smart” devices, allowing hackers to force the devices to join their botnet and participate in the DDoS attack.
Why aren’t manufacturers building good security into their IoT devices?
The security problems posed by so many IoT devices has been a challenge for years. In fact, we first blogged about it in early 2014. (Hijacking Home Appliances)
An article which appeared nearly three years ago on Forbes.com also warned of the dangers of the half-baked security of our “Internet of Things”:
“It’s going to be an issue with all of these connected devices. [..] Hackers breaking into them is not any different from a house being broken into even though the door was locked. I can complain to the lock manufacturer, but they’ll say the lock isn’t perfect. It doesn’t mean the company is bad or the product is bad or that people shouldn’t have door locks. People are going to keep getting these home automation products because the benefits outweigh the risks. But when the lock is picked, we need to use that as an opportunity to improve the locks moving forward.”
The hackers interviewed for the article (who are themselves experts at breaking into security camera systems) say that it all boils down to money:
“The reason why [Internet of Things] vendors are not doing security better is that it’s cheaper not to do it. It’s expensive to build security in. The shopper in Best Buy will buy the camera for $40 not the one that’s $100. She doesn’t know or care about the security. There will be more and more hacks, not just of cameras but of lots of things. Eventually it will make people care, and it will be more expensive to be insecure than secure.”
Security doesn’t have to be expensive.
The hackers in the article correctly point out that there’s no such thing as “perfect security”: their’s bad security, and their’s good security (which typically costs more than the bad variety). You don’t have to spend a fortune to implement a few basic security measures to protect your home network, however.
Changing your device default passwords, and using strong, unique passwords on ALL of your accounts and devices (including your connected IoT devices) is an effective and crucial layer of protection against hacks. Using a password manager application will allow you to keep your accounts and devices organized and under control.
Most device and software companies give consumers the tools they need to secure their data – but it is the responsibility of the consumer to use these tools.