Modern field guide to security and privacy

Your home might be secretly carrying out cyberattacks

Criminal hackers have shown they can take over connected home devices and turn them into zombie networks that carry out debilitating online attacks. 

Stefanie Loos/Reuters
A connected refrigerator by LG displayed at an electronics show in Berlin in September.

As millions of ordinary home products connect to the internet, malicious hackers are finding new ways of exploiting security weaknesses in connected digital video recorders, cameras, and refrigerators.

Now, it appears that they've discovered how to turn tens of thousands of those insecure devices into massive botnets, which are collections of malware-infected computers. They're finding ways to take down websites with distributed denial of service, or DDoS, attacks designed to overload them with traffic. 

Basically, your everyday appliances could be weapons in a cyberattack without you even knowing. 

Two websites taken down by relentless DDoS attacks in recent weeks drew attention to the dangers of the next-generation botnets – and the fragilities of the so-called Internet of Things (IoT), the phenomenon of connecting everything from home lighting to security systems to the internet.

In the attack on security blogger Brian Krebs, for instance, hackers harnessed the power of what is believed to be hundreds of thousands of hacked internet-connected devices – such as digital video recorders, home routers, and connected security cameras – to take down his site. 

The attack on Mr. Krebs generated more than 600 gigabits per second of traffic. There was another attack on a leading French internet service provider, involving a massive 1 Terabit per second volume. 

This is staggering. By contrast, the median DDoS attack last quarter generated about 3.8 gigabits of traffic, according to Akamai Technologies, a company that helps businesses divert large DDoS attacks.

The reason IoT devices are so vulnerable is because security in these many of these devices is almost nonexistent, say many security experts. Manufactures of devices such as DVRs and have given little thought to the security implications of allowing their devices to connect to the internet, they say.

Security just isn't a priority, says Elias Manousos, cofounder at RiskIQ, a cybersecurity firm. "The business model is focused on building and selling as many units as possible," he says.

"Because these devices are hardware, they are not easy to update and the firmware becomes more and more out of date the longer they sit on shelves," Mr. Manousos says. "Hackers can easily exploit these devices since known vulnerabilities never get fixed."

Analyst firm Gartner Inc. estimates that there will be an astounding 6.4 billion connected "things" in use worldwide by the end of this year, up 30 percent from last year. By 2020, Gartner estimates the number will reach 20.8 billion. Many of these IoT devices will be in connected cars and in equipment, facilities, and machinery that businesses use. 

But consumer uses will represent a vast majority of connected things, Gartner says. This year for instance, nearly 4 billion of all IoT devices will be those designed for consumer use. The number will rise to over 13 billion by 2020.

The recent attacks highlighted one way attackers could benefit from insecure IoT devices. But there are other risks, as well. A vulnerable IoT device can give attackers an entry point into the home or corporate network. "The risk depends heavily on the type of IoT device," says Brian Russell, chair of the Cloud Security Alliance IoT Working Group.

"For example, a consumer IoT device that ships with flaws might expose private information or conversations within a household," Mr. Russell says. "An IoT device that is installed in a hospital might expose sensitive medical information."

Similarly, a faulty network enabled component in a connected car could cause the vehicle to crash or an implantable medical device could stop functioning properly because of a security glitch, he said. "It's clear that IoT devices often suffer from basic security issues."

Consumers can help alleviate some of the risks by taking some fundamental precautions like changing the default username and password on a device before connecting it to the Internet. The malicious code used in the Krebs attack, for instance, hunted for systems with stock usernames and passwords. 

"[But] it's not just up to consumers to help keep IoT devices secure," Russell says. "Security starts at the development level. IoT manufacturers need to engineer security into their product at every level of the development cycle. Changing passwords only goes so far."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.