Modern field guide to security and privacy
A connected refrigerator by LG displayed at an electronics show in Berlin in September.
Stefanie Loos/Reuters | Caption

Your home might be secretly carrying out cyberattacks

Criminal hackers have shown they can take over connected home devices and turn them into zombie networks that carry out debilitating online attacks. 

As millions of ordinary home products connect to the internet, malicious hackers are finding new ways of exploiting security weaknesses in connected digital video recorders, cameras, and refrigerators.

Now, it appears that they've discovered how to turn tens of thousands of those insecure devices into massive botnets, which are collections of malware-infected computers. They're finding ways to take down websites with distributed denial of service, or DDoS, attacks designed to overload them with traffic. 

Basically, your everyday appliances could be weapons in a cyberattack without you even knowing. 

Two websites taken down by relentless DDoS attacks in recent weeks drew attention to the dangers of the next-generation botnets – and the fragilities of the so-called Internet of Things (IoT), the phenomenon of connecting everything from home lighting to security systems to the internet.

In the attack on security blogger Brian Krebs, for instance, hackers harnessed the power of what is believed to be hundreds of thousands of hacked internet-connected devices – such as digital video recorders, home routers, and connected security cameras – to take down his site. 

The attack on Mr. Krebs generated more than 600 gigabits per second of traffic. There was another attack on a leading French internet service provider, involving a massive 1 Terabit per second volume. 

This is staggering. By contrast, the median DDoS attack last quarter generated about 3.8 gigabits of traffic, according to Akamai Technologies, a company that helps businesses divert large DDoS attacks.

The reason IoT devices are so vulnerable is because security in these many of these devices is almost nonexistent, say many security experts. Manufactures of devices such as DVRs and have given little thought to the security implications of allowing their devices to connect to the internet, they say.

Security just isn't a priority, says Elias Manousos, cofounder at RiskIQ, a cybersecurity firm. "The business model is focused on building and selling as many units as possible," he says.

"Because these devices are hardware, they are not easy to update and the firmware becomes more and more out of date the longer they sit on shelves," Mr. Manousos says. "Hackers can easily exploit these devices since known vulnerabilities never get fixed."

Analyst firm Gartner Inc. estimates that there will be an astounding 6.4 billion connected "things" in use worldwide by the end of this year, up 30 percent from last year. By 2020, Gartner estimates the number will reach 20.8 billion. Many of these IoT devices will be in connected cars and in equipment, facilities, and machinery that businesses use. 

But consumer uses will represent a vast majority of connected things, Gartner says. This year for instance, nearly 4 billion of all IoT devices will be those designed for consumer use. The number will rise to over 13 billion by 2020.

The recent attacks highlighted one way attackers could benefit from insecure IoT devices. But there are other risks, as well. A vulnerable IoT device can give attackers an entry point into the home or corporate network. "The risk depends heavily on the type of IoT device," says Brian Russell, chair of the Cloud Security Alliance IoT Working Group.

"For example, a consumer IoT device that ships with flaws might expose private information or conversations within a household," Mr. Russell says. "An IoT device that is installed in a hospital might expose sensitive medical information."

Similarly, a faulty network enabled component in a connected car could cause the vehicle to crash or an implantable medical device could stop functioning properly because of a security glitch, he said. "It's clear that IoT devices often suffer from basic security issues."

Consumers can help alleviate some of the risks by taking some fundamental precautions like changing the default username and password on a device before connecting it to the Internet. The malicious code used in the Krebs attack, for instance, hunted for systems with stock usernames and passwords. 

"[But] it's not just up to consumers to help keep IoT devices secure," Russell says. "Security starts at the development level. IoT manufacturers need to engineer security into their product at every level of the development cycle. Changing passwords only goes so far."