Popular Mechanics (South Africa)
IS SOMEONE GOING TO HACK MY LIGHTBULB?
BAD NEWS: It may have already been hacked. Worse: You wouldn’t even know. Here is what we’re hearing from some of the world’s leading security experts and white-hat hackers.
EXPERT: Dale Drew, chief security officer at Level 3 Communications, a telecommunications company and Internet service provider
WHAT WORRIES HIM: The accessibility and adaptability of Mirai, the malware used to take over smart thermostats, remote cameras, and other Internet of Things (IOT) devices. Mirai was used to stage the distributed-denial-of-service attack that took down sites including The New York Times, Netflix, and Reddit in 2016. WHY: “We typically see evolution of botnets occur fairly slowly over time, but with Mirai, that first code has been released [online, so that other hackers can add their own features]. It’s a fairly sophisticated botnet right out of the gate, and we’ve seen a lot of people evolving it with new capability and new features – not only in acquisition of victims, but also capability to attack.”
EXPERT: Martin Mckeay, senior security advocate at Akamai, a Cloud service provider
WHAT WORRIES HIM: The weak-to-nonexistent security of Internet of Things devices – smartphones, refrigerators, baby monitors, etc – and the potential expansion of these attacks to medical devices. WHY: “Hackers use hard-coded usernames and passwords to load code into the memory on IOT devices. Simply shutting down and rebooting the device is the easiest way to get rid of the infection, but when you turn the devices on again, you may find they are soon reinfected with Mirai. These devices shouldn’t be directly connected to the Internet in the first place. They should all be behind a firewall. [If someone were to] make a worm and let it loose in a hospital and it could target insulin pumps or heart defibrillators, you could kill people.”
EXPERT: Eyal Ronen, cyber researcher at Israel’s Weizmann Institute of Science
WHAT WORRIES HIM: Even with the right security precautions, devices will still be vulnerable. WHY: “There needs to be a basic change in which all these commercial alliances set the security for IOT devices. They currently sit with security experts and write code that doesn’t go through outside review. There should be a red-team approach to see if their code can be challenged and hacked before it is implemented. I was able to attack a high-end cryptographically protected network of Philips IOT lighting devices thanks to a bug in their software. It was the first place I looked. Like Google and some other software companies, everyone should offer bounty programmes to computer experts to make their code safer.”
EXPERT: Dean Sysman, chief technology officer at Cymmetria, a cybersecurity company
WHAT WORRIES HIM: The potential of botnet attacks not just to slow down a few sites, but also to allow hackers to completely remove people from the Internet. WHY: “If someone were to attack routers, he could probably have control over millions of people’s Internet connections. Or if he was able to make one of the root DNS services go out – which would require attacking numerous corporate servers and is totally possible – we could lose the entirety of the .com or .uk domains.” PM