Webcam hack shows vulnerability of connected devices
Following the news announced by Philip Hammond, Chancellor of the Exchequer, that the UK government will invest £1.9bn in a new National Cyber Security Strategy, the hacking threat clearly needs to be taken seriously at all levels.
In October, a massive hack executed via millions of web cameras, printers and baby monitors hijacked by a botnet made worldwide news after it had taken down some very high-profile websites.
The incident, described as the largest denial-of-service attack to date, sparked concerns about the cyber security (or lack thereof) of Internet-of-Things (IoT) devices and connected home technology.
The 1.2Tbit/s attack targeted primarily the American domain name service provider and internet infrastructure operator Dyn. The firm’s clients, including Twitter, Paypal, Spotify, Amazon, CNN, and the Wall Street Journal found their websites inaccessible by users on the US east coast and in Europe.
Described by Reuters as ‘a stunning breach of global internet stability’, the attack came as no surprise to cyber-security experts, who have been complaining for years about the vulnerability of IoT technology and the lack of manufacturers’ consideration.
“The inherent lack of security focus exhibited by IoT vendors has suggested this day has been coming for a long time,” Chester Wisniewski, senior security advisor at cyber-security firm Sophos, told E&T. “What surprised many of us was that it was accomplished by attacking a DNS provider. Attacks like the one on krebsonsecurity.com and OVH are more indicative of past behaviour, and going after a third party as large as Dyn was both surprising and extremely concerning.”
The attack was executed through malware called Mirai, which turns Linux-based devices into remotely controlled bots. Mirai, Japanese for future, scans the internet for IP addresses of IoT gadgets and logs into them using a table of factory default usernames and passwords. Once under Mirai’s spell, the affected device keeps functioning normally but secretly monitors a command and control server that instructs it to start sending data packets to the target of the attack.
Chinese webcam maker Hangzhou Xiongmai Technology has recalled 10,000 devices in the wake of the attack and urged users to update their passwords. However, the problem extends far beyond one manufacturer.
“Sadly, most of these vulnerabilities cannot be addressed as we rushed headlong into deploying these allegedly ‘smart’ things without any consideration for their liabilities,” said Wisniewski. “The horse has left the barn. All we can do now is to try to prevent future incidents by learning from our errors.”
Most of these systems are not designed to be updated and can’t even have their passwords changed. That, unfortunately, involves Wi-Fi routers, the gateways of every home and office network, which can also be targeted by Mirai.
“If you look at an average router you can buy from a shop, it comes with firmware that is not designed to ever be updated,” said Ondrej Filip, CEO of Czech domain administrator NIC.cz, which has recently launched what it describes as the world’s first hack-proof router.
The user usually has no way of finding out whether his or her router has been hacked. An unprotected router further offers an easy way into the home network for an attacker with medium skills, putting private data at risk but also giving access to other unprotected devices.
“There was a case with some toys for kids that were sending data to the company,” Filip remarked. “That’s quite worrying. The toy was essentially talking to the kid and the kid’s voice was transmitted to some external party.”
Sophos’s Wisniewski agrees there is not enough pressure on manufacturers of IoT technology to take cyber security seriously.
“Even if we purchase better designed products, our neighbours who don’t will have their devices hacked and used against the rest of us,” he said. “The only approach to solving this is to find a way to ensure the designers of these products take their responsibilities seriously and ensure that they not only design to a bare minimum standard of safety, but provide fixes as needed when their defences are found inadequate.”
In the meantime, there is an immediate lesson to be learned for the victims of the October hack. That lesson is redundancy: using multiple DNS and infrastructure providers to have a back-up in case of an attack.
As the Mirai code is publicly available online, more attempts to exploit unprotected systems are to be expected.
Cyber security is likely to stay in the spotlight for the foreseeable future. The Internet of Things is penetrating industry and entering factories. The stakes are getting higher. There have been reported system breaches at nuclear power plants and power grid operators. The only solution is to be prepared.
The UK is investing £1.9bn into a new National Cyber Security Strategy, aiming to develop automatic defences to help protect businesses and citizens online, and beef up the country’s cyber workforce to help defend against attacks.
The money, to be invested over the next five years, represents a doubling of the funding provided for cyber defence over the 2011-2016 period. Experts say this signals that UK establishment recognises the risks.
Details of the strategy have not been disclosed, but IET cyber-security expert Professor Roy Isbell hopes enough attention will be paid to educating people about risky behaviours. “Organisations typically invest millions in cyber-security measures and protection, but frequently only train one or two members of staff,” he said. “Having the plans is not enough – it’s far more important that people at all levels of an organisation, including its leadership, can implement them effectively. It’s also vital to understand the risk of social engineering and that humans are the ‘weakest link’.”
Hillary Clinton could testify to that. Her campaign’s chairman John Podesta had his personal Gmail account hacked after falling for a simple phishing trick. The incident led to over 50,000 emails being stolen, some of which have been published on the WikiLeaks website.