I’m glad you asked! You may have heard about a little something the talking heads (not the rock band, but those folks on TV, radio, magazines, social influencers, internet news sites, etc.…) call the “Internet of Things (IoT)”. This “Internet of Things” is making some news again as of late, especially as it pertains to security. At ISHPI , we do control and limit these devices very carefully. But at home, all the cool technology we have acquired to make our lives easier by automating and making decisions for us without human-to-computer interaction (think: any device that you had to set up to communicate on your network that does its job without you in front of a keyboard), brings with it a security risk. Not trying to scare you, just alert you to the need to make sure you do more than just “plug and play”.
Most of the devices – from routers and DVRs to internet enabled thermostats, cameras, and TVs, to baby monitors, and robot vacuums that connect to the internet for you to monitor and control, – come from the factory with a pre-set admin account set up with a default password, that a quick search will reveal to EVERYONE. These devices are always communicating and sending out their data. However, unlike the PCs and mobile devices that we update (or should be updating 😉) regularly and change the default passwords, on IoT devices, they rarely are changed.
Which leads me to the second question of this month’s CyberBytes: “should I care”? YES! As you can read in the article below, hackers were able to bring down a university’s network by hacking into devices that were connected to the network and forcing them to inundate the servers with searches (a textbook Denial of Service (DoS) attack). Then the creators used it to gain advantages in on-line gaming (DDoS attacks against other players) but there was “collateral damage”, and when the authorities started getting close, they released the code on the internet to muddy the origins of the malware (they were caught, but their code lives on and has continued to get better and spread). It is called the Mirai BotNet. It is malware that infects smart devices, turning them into a network of remotely controlled bots or “zombies”. The Mirai botnets (there are different iterations of the tool) scour the internet for unsecured smart devices and seizes control of them to create a network of bots capable of spreading Malware, creating DDoS attacks, phishing attacks, and more.
Similarly, your IoT devices, if they are not updated, have default passwords changed, and are accessible to bad actors (either on your home network or the internet), could be hacked and used to bring down your home network, infect and plant malware on your devices. They could also be used with other hacked devices in larger distributed attack (DDoS), to bring down even more – and it will look like it came from your house when authorities start doing the analysis! Not to mention, if hackers gain access to these devices on your network, in addition to whatever information may be being transmitted, they gain access to your network too! And, as the number of internet enabled devices are expanding exponentially, it is more critical than ever to start applying the same security principles to these devices.
So, my recommendation (on top of making sure your network is as secure as you can make it to thwart a hacker from even getting to one of these devices) is to make sure you READ THE MANUAL of any device you put on your network and if you can, change the default password and learn how to keep them updated.
How lights, Vending machines, and refrigerators brought a network down
And
more light reading around IoT
Newsletter by: Rob Collings, ISHPI’s VP of Cybersecurity | CISO
July 5, 2023
