Baby monitors, thermostats, home surveillance cameras -- these gadgets are not what comes to mind when picturing an evil army, but cybersecurity experts warn that malicious hackers are using common household smart devices to cause chaos and panic on the Internet.
“How could a baby monitor become an evil device for a hacker?” said Darren Guccione, chief executive officer of Keeper Security, Inc. “We are in a cyberwar. There is no doubt we are in a cyberwar right now.”
Guccione said hackers are placing malicious software on vulnerable smart devices – those with weak usernames and passwords – to control them and attack third party businesses.
The result? Websites of some of the biggest corporations, such as Twitter, Netflix, Amazon, PayPal, crashed and were inaccessible for hours.
“(Hackers) are getting really sophisticated about how they do this, and that’s the dangerous thing,” said Guccione.
The unprecedented breach is called a Distributed Denial of Service, or DDoS, attack. On October 21, malicious hackers directed hijacked home devices to send millions of bogus requests to a company called Dyn, which serves as an Internet switchboard. Dyn’s system became overwhelmed.
With billions more smart home gadgets coming online, Guccione said security of these devices is a top concern.
“There is no mandate that says to a device manufacturer: before you send out this product or it enters the domain, it must have these ten security protocols,” said Guccione. “It is a complete free-for-all.”
One Chinese manufacturer is recalling thousands of its products sold in the U.S. in the aftermath of last month’s DDoS attack. Hangzhou Xiongmai Techonolgy acknowledged to tech industry publications that weak default passwords in its products left them vulnerable. Xiongmai told publications it fixed flaws with some older models and are encouraging customers to strengthen passwords.
There is an effort amongst industry experts to shore up security functions on Internet-connected devices.
The Industrial Internet Consortium is a non-profit group made up of 250 member companies that range from big multi-national corporations to start-ups. Sven Schrecker, co-chair for IIC’s Security Working Group, said none of its member manufacturers were involved in the DDoS breach.
“It is up to each manufacturer to take a close look at their protocol,” said Schrecker. “One thing we’ve been highlighting for several years now is that security needs to be an atomic component of all devices, especially Internet-connected smart devices.”
Security experts also advise to use different passwords for all devices because once hackers crack the password, personal security is wide open for the taking.
“Can you imagine coming in and saying my bank account got hacked through my refrigerator? Think about how weird that is,” said Guccione. “If a hacker is able to breach a refrigerator that connects to the Internet…if they get their log-in credentials off that refrigerator and you typically use the same log-in credentials for your bank account, your social media account…they’re going to replicate that set of log-in credentials across all the applications.”
The hackers behind last month’s DDoS attack and their motive are still largely unknown. But there is widespread concern a similar attack is forthcoming, leading some to question if malicious hackers are attempting to shut down the internet.
“It may have been a test for something much larger” added Guccione. “Some do it because they were hired by a company B to shut down company A, they may have political reasons for doing it, they may be sick, they may just want to do it for fun.”
Cyber experts say the hacking business is lucrative and criminals may try to blackmail online retailers with threats of massive Internet outages ahead of the online holiday shopping season.
“You’re going to see this happen a lot more,” said Guccione.