IoT Security News Just Gets Worse
It was bad enough to learn that millions of “Internet of Things” devices have deplorably poor security. But now we learn that many IoT devices also have a backdoor built into them that hackers can exploit. Read on to understand this new threat and see what you can do about it...
All Connected Devices Need Strong Passwords
Every home Internet router has a Web-based administrator console, a set of Web pages that allow the owner to manage a myriad of router and network settings. Username/password credentials are required to access the console. Routers ship from the factory with default credentials that are widely known among hackers. Quite commonly, the username and password for a router is "admin" and "password". But if you change the default credentials to something reasonably complex that only you know, then your router should be safe from intruders, according to conventional wisdom.
Unfortunately, millions of routers have a remote access method that can be used to access the router for the purposes of updating firmware or performing remote troubleshooting. This gateway is not Web-based; instead, a remote-access protocol such as telnet or SSH (Secure Socket SHell) is used to access the router. I advise you first to login to your router, and choose a new username and (non-trivial) password. If you don't know the router's login credentials, ask your Internet provider. Sometimes they are printed on a sticker sttached to the router.
Next, look in the router settings to see if there is a "remote access" or "remote administration" option. If it's there, make sure it is turned off or disabled. Since there are many different routers, each with their own unique configuration screens, I can't give specific instruction here for doing that. If your Internet provider supplied you with the router, they should be able to help you find and change those settings. If not, check the manual or Google it.
Most users are unaware of this hidden backdoor. A malware package called Mirai spreads itself from device to device via telnet or SSH. Mirai incorporates code that scans the Internet for more vulnerable devices, and other modules that wreak assorted havoc on the infected devices. By taking advantage of the fact that many users never change the default login credentials, it can turn a device into a botnet slave that can help launch a denial-of-service attack against any Web site, or send millions of spam emails. It may contain code that scans an infected network for bank account data, Social Security Numbers, and other means of identity theft. The possibilities for mischief are limitless.
Not Just Routers
I have been talking about routers, but it’s important to understand that any IoT device can have this same vulnerability. That includes Internet-connected cameras, baby monitors, DVRs, light bulbs, coffee makers, refrigerators, door locks, door bells, and even printers.
In some cases, there is no simple and certain action consumers can take to protect themselves from this threat. The backdoor vulnerability has been found in cheap IoT devices made by Chinese firms such as Dahua. These older products have hard-coded passwords that cannot be changed, and firmware that cannot be updated remotely; the physical chip that holds the firmware must be replaced. If you have any Dahua products that were made prior to January 15, 2015, you should contact the company to get a replacement. Likewise, if you can't find a way to change the login credentials for any Internet-connected device, contact the vendor and see if there is a fix, or replacement available.
Some IoT makers have eliminated factory-default credentials and now require users to create strong passwords while setting up a product. Hikvision, Samsung, and Panasonic are among the vendors that have taken this new and effective approach. It’s worth looking for when shopping for a new IoT device.
In the long term, cybersecurity standards will be written and promulgated by governments and industry associations. The European Commission has just started a committee to write cybersecurity standards. Underwriters Laboratory has launched a Cybersecurity Assurance Program (UL CAP), a set of security standards that manufacturers can implement to obtain UL certification of their products. But these efforts won’t bear much fruit for several years.
The best advice I can offer right now is pretty standard. Change the password of every internet-connected device that has one to something strong and unique. Keep your router’s firmware up to date with the latest security patches. If your router implements WPS (WiFi Protected Setup), disable it. (See my article See WPS Security Flaw: Are You Vulnerable?) And as I mentioned earlier, make sure that your router has a username and password that you choose, not the factory default.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Oct 2016
|For Fun: Buy Bob a Snickers.|
[LOCKED] Extra Security for Your Google Accounts
The Top Twenty
[FIXIT] Hard Drive Data Recovery Services
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- IoT Security News Just Gets Worse (Posted: 17 Oct 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved