IoT Security News Just Gets Worse

Category: Security

It was bad enough to learn that millions of “Internet of Things” devices have deplorably poor security. But now we learn that many IoT devices also have a backdoor built into them that hackers can exploit. Read on to understand this new threat and see what you can do about it...

All Connected Devices Need Strong Passwords

Every home Internet router has a Web-based administrator console, a set of Web pages that allow the owner to manage a myriad of router and network settings. Username/password credentials are required to access the console. Routers ship from the factory with default credentials that are widely known among hackers. Quite commonly, the username and password for a router is "admin" and "password". But if you change the default credentials to something reasonably complex that only you know, then your router should be safe from intruders, according to conventional wisdom.

Unfortunately, millions of routers have a remote access method that can be used to access the router for the purposes of updating firmware or performing remote troubleshooting. This gateway is not Web-based; instead, a remote-access protocol such as telnet or SSH (Secure Socket SHell) is used to access the router. I advise you first to login to your router, and choose a new username and (non-trivial) password. If you don't know the router's login credentials, ask your Internet provider. Sometimes they are printed on a sticker sttached to the router.

IoT Security - Passwords

Next, look in the router settings to see if there is a "remote access" or "remote administration" option. If it's there, make sure it is turned off or disabled. Since there are many different routers, each with their own unique configuration screens, I can't give specific instruction here for doing that. If your Internet provider supplied you with the router, they should be able to help you find and change those settings. If not, check the manual or Google it.

Most users are unaware of this hidden backdoor. A malware package called Mirai spreads itself from device to device via telnet or SSH. Mirai incorporates code that scans the Internet for more vulnerable devices, and other modules that wreak assorted havoc on the infected devices. By taking advantage of the fact that many users never change the default login credentials, it can turn a device into a botnet slave that can help launch a denial-of-service attack against any Web site, or send millions of spam emails. It may contain code that scans an infected network for bank account data, Social Security Numbers, and other means of identity theft. The possibilities for mischief are limitless.

Not Just Routers

In my article SECURITY TIP: Lock Down Your WiFi Router you'll find more tips to secure your router, and the wi-fi signal it broadcasts. That article also explains that your router has TWO passwords -- one to login to the router settings, and another that enables Wi-Fi connections.

I have been talking about routers, but it’s important to understand that any IoT device can have this same vulnerability. That includes Internet-connected cameras, baby monitors, DVRs, light bulbs, coffee makers, refrigerators, door locks, door bells, and even printers.

In some cases, there is no simple and certain action consumers can take to protect themselves from this threat. The backdoor vulnerability has been found in cheap IoT devices made by Chinese firms such as Dahua. These older products have hard-coded passwords that cannot be changed, and firmware that cannot be updated remotely; the physical chip that holds the firmware must be replaced. If you have any Dahua products that were made prior to January 15, 2015, you should contact the company to get a replacement. Likewise, if you can't find a way to change the login credentials for any Internet-connected device, contact the vendor and see if there is a fix, or replacement available.

Some IoT makers have eliminated factory-default credentials and now require users to create strong passwords while setting up a product. Hikvision, Samsung, and Panasonic are among the vendors that have taken this new and effective approach. It’s worth looking for when shopping for a new IoT device.

In the long term, cybersecurity standards will be written and promulgated by governments and industry associations. The European Commission has just started a committee to write cybersecurity standards. Underwriters Laboratory has launched a Cybersecurity Assurance Program (UL CAP), a set of security standards that manufacturers can implement to obtain UL certification of their products. But these efforts won’t bear much fruit for several years.

The best advice I can offer right now is pretty standard. Change the password of every internet-connected device that has one to something strong and unique. Keep your router’s firmware up to date with the latest security patches. If your router implements WPS (WiFi Protected Setup), disable it. (See my article See WPS Security Flaw: Are You Vulnerable?) And as I mentioned earlier, make sure that your router has a username and password that you choose, not the factory default.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 17 Oct 2016

For Fun: Buy Bob a Snickers.

Prev Article:
[LOCKED] Extra Security for Your Google Accounts

The Top Twenty
Next Article:
[FIXIT] Hard Drive Data Recovery Services

Most recent comments on "IoT Security News Just Gets Worse"

Posted by:

Max Granger
17 Oct 2016

Users should have recourse through latent defects that is not revealed in the original manual for the product when purchased. H.P. printers is one product that loads items onto the menus that you don't need and wont allow them to be remove otherwise they advise the product may not work correctly. Why do I need to do any online purchases? why does HP say the cartridge is empty and yet the cartridge is wet with ink. A removal of the software and a new reload gave me a lot more printed pages. This is my last HP product from this useless company.

Posted by:

17 Oct 2016

Your list is extensive, but you left out thermostats. I don't and won't have one because I don't need anyone adjusting the temperature in my house except me. It's almost as bad as trying to not be on camera when you leave your house. Now EVERYTHING is EVERYONE ELSE'S business.

Posted by:

17 Oct 2016

This is much bigger, and has been going on for much longer, than most people know or understand. If you want the big picture - and it's scary - you might start with Neil Postman's "Technopoly," written all the way back in 1992, and maybe have a look at some of his references. Then, if that went down OK, try Evgeny Morozov's "The Net Delusion: The Dark Side of Internet Freedom" and "To Save Everything, Click Here: The Folly of Technological Solutionism."

You can also sample lots of all this by Googling it, and Morozov's writing is easy to find.

Ultimately, the scariest thing about what's happening, in IoT and digital technology in general is that all the warnings have been there all along, right out in the open, and that says things about people and our world that...'ll see, if you read any of this, and if you believe it.

Posted by:

Grand Pa Ken
17 Oct 2016

I like and appreciate your website. This is my first time to make a comment. (I posted a question in the box above before getting to this Comments section.)

My cable modem wireless router is provided by my cable service provider (Bright House). They assigned my password for my Security type: WPA2-Personal WiFi (Broadcom 802.11ac Network Adapet) router, and told me I didn't want to change anything so they can update my firmware.

Should I change things anyway or buy my own router or what?

EDITOR'S NOTE: If they can remotely login to your router, there's a chance that Someone Else can also do that. Some ISPs assign easily guessable passwords, which make you an easy target for hackers. If your ISP alerts you that your firmware ever needs updating, you can handle it as an exception.

Posted by:

Daniel Wiener
17 Oct 2016

Unfortunately I've had so many problems in the past getting my DSL modem/router to work with wifi extenders and ethernet-connected extenders that I don't dare fiddle with names and passwords. Otherwise something is likely to stop working, and then I'll be spending hours trying to fix it and/or talking on the telephone to a tech support person who doesn't really understand the equipment but can only go through his scripts and trouble-shooting trees. (e.g., Him: "First try turning off all your devices and your computer, wait 30 seconds, and turn them back on." Me: "I've already done that." Him: "Well, let's first try it again.") So for me the lower risk is to just leave well enough alone.

Posted by:

Robert A.
17 Oct 2016

We truly need to ask ourselves this: Do we really, really, really need to have every last damned device in our personal world have some sort of connection the world wide web, or do we do it only because it is a "cool" thing to do - technology that ultimately robs us of ability to reason for ourselves, as well as or connection to the rest of humanity.

For example, GE Appliances just recently announced that many of its products will now have the capability to automatically reorder the owner's personal inventory of laundry and dishwashing detergent pods and dryer softener sheets, as well as other consumables, via the Amazon Dash service, once the inventory level has fallen below a pre-set amount. Samsung, likewise, has a few new refrigerators with built-in inside cameras that can see the contents of the refrigerator, and also reorder certain products, if programmed to do so, with out any effort on the part of the owner.

Have we become so lazy and/or brain dead these days that we can't break away from our glowing screens, to take a moment and exercise out minds and bodies, and actually check out things happening in our worlds, and interact with the rest of humanity. It's not killing anybody to give a look-see, make a list, and run over to the supermarket, seeing what's new, and even actually interacting with other persons. Some technology is very overrated!

Posted by:

17 Oct 2016

Firstly, I want to say "Well said" to Robert A!!!

Secondly, I did actually change the username and password required to log in to my router. But wouldn't disabling "remote access" or "remote administration" prevent your ISP from performing vital firmware updates on it?

Thirdly, am I seriously deluded for believing that our Firewalls and programs called Total Internet Security can protect our routers from hackers/viruses as well as our computers?

Posted by:

Neville Gordon
18 Oct 2016

Bob - thanks for the guidance on the router. But as for the IoT, I am quite happy for our appliances like the fridge, coffee maker, air conditioner, lights, etc to be "dumb" items (not Internet connected). And the brass keys for the doors cannot be hacked by any software. Not so sure about our new car though - it is Internet/GPS connected. I will recheck with the supplier to assess the risks of "hijacking".
I also bought a "non-smart" phone to use just for making and receiving calls and text.

Posted by:

vilas vartak
18 Oct 2016

artical is essential. explained nicely but it bcome simple if presented in FORMAT OF "HOW TO DO OR HOW TO WORK "


Posted by:

18 Oct 2016

To Robert A: Thank you for those very insightful thoughts on the negative aspects of what technology has done to our society. We are losing our humanity.

That said,another negative part of all this is the constant worry we now have of security concerns, hackers stealing very sensitive information (as this article points out) malware of all sorts etc. We have now just learned of a very disturbing, and until I read this article, an unknown worry that requires still more action on our part to protect ourselves. I shudder to think how many people have already had their lives turned upside by identity theft or their devices taken over. Thanks to Bob for the heads up.

Posted by:

27 Oct 2016

When I first changed to Uverse, they provided a combined router/wife with poor access. I could change my wifi signal password, but not the password to get into administrative settings. I demanded a new one.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- IoT Security News Just Gets Worse (Posted: 17 Oct 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved