Modern field guide to security and privacy

Flaws in connected cameras, recorders broader than bad passwords

After last week's cyberattack leveraged insecure internet-connected devices to wage a denial of service attack, many experts urged consumers to change passwords. But that alone won't solve the problem. 

Michael Bonfigli for The Christian Science Monitor
At the Security of Things Forum in Washington on Thursday, experts warned about vulnerabilities built into internet-connected devices. Joshua Corman (r.), director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, spoke with Charley Snyder (c.) from the Department of Defense and Suzanne Schwartz from the Food and Drug Administration.

Cybercriminals last week amassed a powerful online weapon from compromised internet-linked cameras and video recorders prompting warnings to consumers to change default passwords on their gadgets.

But weak passwords aren't the only security issues that come along with the fast-growing Internet of Things (IoT) marketplace, experts warn. A host of problems – from how devices connect to the internet to how they are manufactured – are leading to increasing worries over how attackers could take advantage of insecurities in connected devices.

The warnings about connected devices follow a recent assault on Dyn, a company that provides a core piece of internet infrastructure, that relied on software called Mirai to take over and control vulnerable internet-connected devices.

According to analysis by the security firm Imperva, Mirai spreads by performing wide-ranging scans of internet addresses to locate under-secured IoT devices that can be remotely accessed. Once it finds these devices, Mirai is programmed to guess at usernames and passwords to try to gain access to them – a so called "brute force" attack.

Many of the devices compromised in the Dyn attack came from a single Chinese supplier, XiongMai Technology. Xiongmai's hardware and software reside in many brands of closed-circuit cameras, digital video recorders, and other devices and contain a hidden, administrative account that could not be changed by users.

But focusing on weak passwords with IoT devices alone risks missing the larger point, security experts warn.

"These devices have tons of issues," says Billy Rios, the founder of the security firm Whitescope and a recognized expert on the security of embedded systems. "The reason that Mirai just exploited weak passwords as that it was all it needed to do. Why put more effort into it than you need to?"

A bigger problem than the default password, says Mr. Rios, is the shoddy manner in which internet-connected objects like cameras are deployed, allowing even nontechnical criminals and mischief makers to locate them with a simple online search. 

Even without malicious software to speed the process along, finding insecure IoT devices is as easy as running an internet search. Search engines like Shodan have long allowed the curious to search for internet-connected machines in the same way that web surfers use Google to search for web pages. On any given day, a search for common IP-enabled cameras like this turn up tens of thousands of devices that can be accessed directly from the internet. 

In many cases, that's because the third-party firms that install and manage them on behalf of businesses, local governments, or even consumers want easy, remote access to them, Rios says. "Truck rolls – having to go out in person to service a device – are expensive," he says. Allowing the cameras to be reachable from the public Internet makes it very easy to deploy and maintain or manage them remotely. 

The Chinese supplier, XiongMai, has promised a recall of 10,000 affected cameras. But it is unclear how that will be carried out. 

Speaking Thursday at The Security of Things Forum in Washington, an event hosted by Passcode and The Security Ledger, security experts said there were few incentives to encourage IoT device makers to improve their practices.

"In the Internet of Things space, the consumer of the device doesn't care, and we haven't yet built in an incentive for either the manufacturer or the consumer to pay for security," said Anup Ghosh of the firm Invincea. "Besides, most of these devices are made in China, so how do you regulate that?"

Experts noted that it doesn't have to be this way. Home gaming consoles such as Sony's PlayStation and Microsoft XBox are many times more powerful than cameras and also connect to the internet, for instance. They're also among the best engineered and most secure devices around and meet a very high standard for rigor both in their design and deployment, notes Rios.

For now, however, the attacks of recent weeks have forced a reconsideration of the question of how to secure a fast growing IoT space, said Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, in a briefing with reporters on Monday. Mr. Corman also spoke at Thursday's Security of Things Forum.

The public and private sectors may be forced to embrace controversial ideas – from safety labels on connected product to strict software liability laws to hold publishers accountable for their wares. Otherwise, more extreme proposals may gain traction, such as destroying devices that are participating in large scale attacks like those of recent weeks or using selective filtering to block those devices' access to the internet, Mr. Corman warned. 

Likening the population of low cost, insecure devices to a mosquitoes-infested swamp, Corman said big changes may be in the offing. "If we want to drain the swamp, we’re going to have to look at what the future is for these endpoints that are less valuable."

Editor's note: This story was updated after publication to clarify comments from Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center, referring to more extreme measures to safeguard connected devices.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Flaws in connected cameras, recorders broader than bad passwords
Read this article in
https://www.csmonitor.com/World/Passcode/2016/1028/Flaws-in-connected-cameras-recorders-broader-than-bad-passwords
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe