More and more, you can hear about the hacker attacks of a new, previously unknown type: hackers do not act directly through computers, but turn to “connected systems” —web cameras, elements of smart houses and wearable gadgets — collecting from them “zombie networks” or receiving through these devices access to personal information. Objects included in what is called the “Internet of Things” are much less protected than computers themselves, and access to them provides potentially no fewer opportunities than traditional hacking.
Internet of things or IoT is a vast space of objects that it was difficult to even think about connecting to the network just a few years ago. Sometimes these are rather useless and therefore seemingly completely safe things. Most users do not associate their “smart” coffee makers and refrigerators with computers, and therefore do not think about the need to ensure their safety.
It is what crackers use. In June 2016, they discovered a botnet from more than 25,000 city and private surveillance cameras and digital video recorders created by a group of hackers to carry out DDoS attacks, and by the fall there were cases when up to a million devices were included in the infected network. And although the computing power available to devices of this kind is rather small in comparison with computer ones, combined into a system of such scales, they become a genuinely threatening force. For example, the June “zombie network” sent more than fifty thousand HTTP requests per second, and the one that attacked Brian Krebs’s site “issued” a request rate of 700 Gb/s. It is quite enough to bring down many reputable Internet resources under their avalanche, having a very high threshold of resistance to heavy loads.
Is this a new problem with the “riot of things”?
The advent of “smart things” in private homes began not so long ago. In contrast, CCTV, conveyor robots and security systems that control, for example, doors and elevators of protected objects, did not appear yesterday.
For business and government, challenges related to the security of the Internet of Things have been around for quite some time. Fighting with them on these fronts is also not the first year. They held the National Security of Things Forum in Cambridge for several years. It was on the security of the Internet of Things, and the protection of the personal data of hospital patients, the access to which is possible through wearable devices, and security holes in medical institutions, including those accessible through IoT, a problem that has been struggling since the beginning of the 2010s.
What goes in the IoT?
The Internet of Things is all devices connected to the network one way or another.
The first publicly available items of this kind appeared in 2008–2009. According to Cisco, by April 2014 there were more than 12 million connected devices in the world, and by the end of 2016, another six billion added to them. There was a prediction that in five years, the Internet of Things would grow to 50 billion devices. In other words, there will be almost a dozen smart devices per inhabitant of the planet. The fall in the value of “smart things” will allow them to put in the markets of developing countries, and further growth is likely to become entirely exponential.
What is wrong with the security of the Internet of things?
According to Hewlett-Packard, more than 70% of devices entering the Internet of Things have vulnerabilities, 60% of them have an insecure web interface. However, most of them have access to such data of their owners as an address, e-mail, and even a bank account.
Often this is because manufacturers, seeking to reduce their costs, radically save on security. In turn, the companies supplying cheap cameras almost ignore the inclusion of protective equipment in their products, since, according to their estimates, low cost is much more critical for the majority of camera users. On January 9, 2017, the US Federal Trade Commission even filed a lawsuit against D-Link due to inadequate protection of webcams and routers.
Hacking tools and hacker interests
Each object connected to a network has an identification number — an IP address — and is joined by one or another port according to a specific data transfer protocol. For example, for a webcam, this is port 554 and Real Time Streaming Protocol. It is through these ports that hackers enter the devices and gain control over them. Today, there are many tools for finding and accessing unprotected ports. We will tell you about some of them.
The most extensive features provided by the search engine Shodan – “evil Google.” Designed by John Matherly and named after the artificial intelligence from the first part of the System Shock game, Shodan can not only detect random public IP addresses and find vulnerable webcams but also filter them by port number, country and city, operating system and even the domain name in which the search is. Recently, a search engine allows access not only to open ports but also to secure ones. So you can break into cameras, printers, routers, and many other devices.
Today Shodan has become a professional access tool. Its popularity is so high that access to it is carried out on a paid basis: the first ten requests are free, 50 – if you have an account, then – for $ 20 per year.
If you are only interested in viewing cameras, you can find tools such as Yoba and Hikka, developed by the anonymous Dvach. And if the first one was just a brute-force machine that chooses to select passwords from a predefined list, the second one has not only more extensive possibilities but is continually improving: they uploaded its source code to GitHub, where activists develop Hicca.
But often “just watching the cameras” turns out to be not such innocent entertainment. After all, many surveillance devices are not on the street or in the corner of a supermarket, but at home with people who are unaware of the possibility of their hacking, or in places where they would seem to have no place. The same users of Dvacha used their search engine to spy on webcams installed in brothels and toilets.
This audience is the same people who, having armed with FindFace, staged a massive cyber attack on girls engaged in prostitution and starring in porn. By uploading screenshots from clips and profiles to FF, they found their accounts on social networks using it. Then the incriminating information was reported to the relatives and friends of the victims of the persecution. Given this, “Hicca” is (by and large) “in bad hands” – because the cameras are everywhere.
Internet of Things and Global Snooping
Listening to phones and hacking webcams has long become the daily practice of individual services. On the invasions of governments into private life through the Internet of things is not yet known – the state already has enough control capabilities. Probably, there are special tools at the disposal of the special services, just for them so far there has been no Snowden. It was a former employee of the National Security Agency in February 2014 who spoke about Optic Nerve, a program that allowed British intelligence to collect nearly two million screenshots from Yahoo video chatters in six months. And where is one information – there is another.
A botnet is a network of computers or devices infected by viruses that have access to their operating capacity. Zombie resources can be used by a hacker to perform distributed calculations and strengthen their abilities, but more often they are needed solely to ensure an avalanche-like flow of requests at the right moment as part of DDoS attacks when sites or system.
The case of cameras and video recorders is not the first example of creating a “zombie network” from objects of the Internet-things. From a hacker`s point of view, CCTV and refrigerators are more attractive than computers: usually, the user cannot see how much the resources of such a device load. What is essential, there is also the fact that often the power of smart-apartments and industrial equipment are idle without work – and they are at the complete disposal of hackers. For example, most private surveillance cameras do not record, but only stream video, which most of the time no one watches.
What scares users?
The use of their property for criminal purposes or theoretically possible voyeurism is not too disturbing to users, as far as can be judged by statistics. At the same time, the Internet of Things poses more exciting challenges. There is a case when a hacker hacked into a baby monitor and yelled at a baby.
After the attacks on medical equipment and wearable devices, the possibility of which has become known in recent years, many have thought about abandoning the “connectivity” in the field of health care. For example, after the publication of data on the possibility of remote control of a pacemaker, Dick Cheney, a former US Deputy Prime Minister, demanded that the doctors were serving him close the channel through which data from his device were transferred to the hospital and make the stimulator autonomous.
In early October, there was a lot of noise by the successful breaking of an insulin pump, which was carried out by the example of a diabetes-suffering hacker who got access through an unprotected Wi-Fi channel. This episode nearly brought with it a recall from the Johnson & Johnson pump market, but in the end, the company limited itself to sending warnings to all users and called the risk “overvalued.”
It is this kind of “horrors” that make people seriously think about how safe the Internet of Things is. So, the discussion of Samuel Grignard’s book The Future Is Now Here, devoted to the challenges of the Internet of things, went beyond the boundaries of the IT community.
In fact, not so bad. According to Julian Goldman, director of the department of biomedical engineering at Partners HealthCare, so far recorded cases of hacking of medical systems are aimed, as a rule, not for private individuals, but the hospital as a whole. And sometimes it is connected not even with extortion, but with the protection of the interests of patients.
But the main problem of the Internet of things in medicine, Goldman, calls the abundance of outdated equipment that has not been updated for more than ten years and is often no longer supported by manufacturers. It is generally a global problem for IoT in business, the social sector, and government structures, along with the inertia of these organizations themselves, who are not in a hurry to upgrade their equipment. In other words, no less critical a threat than a hacker attack, for the end user is his lack of awareness and the lack of rapid response of developers to detected vulnerabilities.
Towards a safer Internet of things
The cybersecurity researcher Scott Erven believes that users’ understanding of potential threats is not enough, and believes that the professional community should take responsibility on this issue, including putting pressure on manufacturers. Even calls government regulatory agencies and consumer rights protection societies as instruments of such influence.
Responding to the demands of such initiatives, the US Federal Trade Commission conducted more than fifty cases against companies that did not provide a sufficient level of security for their networks, products and services, and held a series of Start With Security seminars on the need to include developing privacy and security methods the earliest stages of product development.
Like any cybercrime activity, attacks on IoT know no bounds. At the National American Forum on Internet Security of Things in 2015, a representative of the Department of Homeland Security, Robert Silver, put it this way: “This is a transnational issue that has no resolution within one country.” Such statements call for international regulation, and therefore, for the control of governments over the development of the industry and the possibilities for its implementation in everyday life.
Initiatives to control the Internet of things at the state level were also at the European Commission. European Commissioner for the Digital Economy and Society Thibo Kleiner says that regulation should be conducted at the intergovernmental level because it is not so much about individual items, but first of all about networks and cloud storages to which they have a connection.
Alternatives to regulation
There is a justification of the need for regulatory actions by the fact that the industry does not want to introduce mechanisms of self-regulation. But they can negatively affect IoT, restraining its development, hampering the introduction of innovative practices. Perhaps, instead of a regulation that starts already at the development stage, you can introduce a certification system, like the National Transportation Security Administration in the United States or EuroNCAP, which is similar to it.
Network crime expert Rob Graham takes this initiative negatively. According to him, it is preferably a tool for drawing out funding from the state budget, which does not bring practical benefits. Graham says that there can be no analogy between the production of cars and the production of gadgets. While EuroNCAP is looking for random failures in the electronics of machines, in the case of the Internet of things, we are dealing with the evil will of a person who wants to hack the system.
“95% of successful attacks are phishing, SQL injections, and bad passwords. Another 5% is outdated software, the manufacturer has already managed to patch the vulnerabilities, but the user is in no hurry to install updates. It turns out that what CITL is doing is only 0.1% of potential threats, says Graham, and mitigating the risk, even if it extended to a large area, is not equal to its elimination. “
Graham cites the example of the fact that the US Navy paid Microsoft $ 20 million for continuing to support the Windows XP operating system installed on military computers. By that time, the system was already 15 years old.
How to protect yourself
Until IoT protection methods have been developed from above (and to create them, perhaps, perhaps not needed), we should take the matter into our own hands. Here is a short checklist, based on which you can significantly improve your security in the world of smart things.
The advantages are more significant than the threats
Even though it may seem that the Internet of things is full of dangers, and voyeurs, hackers and unscrupulous suppliers are waiting for the user from all sides, the benefits of IoT are still higher than the potential costs. Those dangers with which we cannot cope today will fade into the background – with the growth of digital culture or under the onslaught of regulators.
At the same time, the primary challenge will remain, which the Internet of Things is only hinting at, but over time, as it develops, this problem will become more and more acute. People are too willing to let devices into their lives that they know too little. The development of technology, in general, is ahead of human development, and, perhaps, after some time we will come to the adoption of the “end of privacy.”
But for now, with the growth of the Internet of things and the Internet in general, it is time to think about one fact shortly. We will have to choose which areas of life are more important to protect and which of personal data is more critical – to cover all areas of life with security systems or simply too troublesome.
About the author
Melisa Marzett is good at writing because she has a passion for it. Currently writing for http://findwritingservice.com/ she combines work and pleasure successfully traveling around the world and writing from wherever she is.