How to prevent a zombie botnet invasion
Changing passwords is a must to help avoid attacks like last week’s
Your router, SAN FRANCIS CO home Wi-Fi, refrigerator and webcams could be part of an international army of zombie attackers — without you even knowing it.
The bad news is that’s not the plot of a B-grade Halloween movie: It’s the current state of security in the Internet of Things, and experts say there’s only so much consumers can do to protect themselves.
The danger was exposed Friday when an attack on Dyn, a New Hampshire-based company that monitors and routes Internet traffic, shut down a significant portion of the Internet.
Dyn was hit with a large-scale distributed denial of service attack (DDoS), in which its servers were flooded with millions of fake requests for information, knocking them offline.
The attack was launched by what’s known as a “botnet” that used millions of enslaved devices to send those messages. It was the first major attack using Internet-connected devices but won’t be the last, experts say.
Connecting anything and everything to the Internet so it can be app-controlled is all the rage right now.
But the security on most of those devices is abysmal, experts say. That’s a problem as there are an estimated 6.4 billion Internetconnected devices in use worldwide today, according to Gartner.
The most crucial thing for home users is to reset the factory password that came with their regular or Wi-Fi router and turn off the option that allows the router to be managed over the Internet.
This isn’t optional, said Gunter Ollmann, chief security officer of Vectra Networks.
“A newly installed Wi-Fi home router is likely to be compromised within a handful of weeks if the default passwords are not changed — or within a few hours if you live in a more densely populated metropolitan area,” he said.
If your home router or Wi-Fi router is more than five years old, get a new one, suggests Wendi Whitmore, global lead for IBM Security Services.
For Wi-Fi, users should not only change the factory-set password but also make sure that they’ve enabled a strong form of Wi-Fi encryption. If you choose a good one — for example, the often standard WPA2 — “you should be fine,” said Ken Munro, a partner at security company Pen Test Partners.
Bluetooth wireless devices are actually relatively secure because they can only interact with other devices over a very short range.
Password protection will keep most botnets out, but many Internet of Things, or IoT, devices don’t make it possible to add or change them.
When asked to come up with a list of vulnerable products, Ollman flat out said it was impossible.
“For starters, the list would include pretty much every Internet-connected consumer device by default,” he said.
One of the most common devices used in last week’s attack were closed-circuit TV webcams, which typically are shipped with default passwords and which generally must be connected to the Internet to perform their function.
Chinese electronics firm Hangzhou Xiongmai Technology, whose webcams were a big part of the botnet, has since announced a recall of the circuit boards and components that go into its webcams, according to the BBC.
For those who need webcams to secure their home or business, Simon Puleo, who does security research for Micro Focus, suggests using major brands such as Nest or NetGear because they “invest more in quality assurance and security because they have a large reputation at stake.”
As for security problems with connected cars, while these have gotten a lot of press over the past few years, the danger is still largely theoretical.
“There have been a number of proof-of-concept attacks on car systems, but so far no significant attack has occurred. In reality, there are simply so many other devices out there for attackers to go after, there’s no great need to attack something as complex as a car’s systems,” said Geoff Webb, vice president or strategy at Micro Focus.
As for thermostats, baby monitors, home alarm systems, pool heaters, door cameras and even smartphone-connected pet feeding systems, the good news is that many use cloud connectivity, so they’re not so much of a threat.
Again, higher-quality (and pricetag) items from major companies such as Google are likely to be on the cloud and have good security.
The bad news is that it’s not always simple for the user to know how secure they are before buying, and often even after that. Professor Shiu-Kai Chin, with Syracuse University’s master of science in cybersecurity program, says consumers should think seriously about why they’d want to connect something to the Internet.
“Today’s ‘Wow! might turn into tomorrow’s ‘OMG!’ In systems engineering, we always ask ourselves if something is essential vs. ‘nice to have.’ Added features usually come with added vulnerabilities and risks,” he said.
That’s the advice of the researchers who successfully hacked into a Samsung refrigerator last year at DefCon, a large computer security conference in Las Vegas. Samsung later patched the security hole, but many connected appliances remain unsecure.
Without a lot of technical expertise, sometimes the best advice is to simply not use the built-in connectivity, though Munro of Pen Test Partners acknowledges that at that point “you might as well just buy a nonIoT fridge.”