Back in the 1990s when businesses started going online they frequently
didn't realize that their new networking gear came with simple default
passwords like "admin". So a whole generation of early hackers
simply scanned the web for companies that had inadvertently exposed
themselves in this way, siphoning off (probably, no one really knows)
billions of dollars and causing various other kinds of mischief.
Now that process is repeating with the Internet of things (IoT). As pretty
much every device in homes and businesses is imbued with sensors and
connected to internal networks and/or the broader Web, hackers are exploiting
the many resulting vulnerabilities.
But this time around it's personal, as formerly innocuous things like TVs,
phones and thermostats gain cameras and microphones, creating all kinds of
privacy issues – some of which are potentially (and catastrophically)
financial. Here's a sampling of what appeared on the subject in yesterday's
Wall Street Journal:
What's
Attacking the Web? A Security Camera in a Colorado Laundromat
While Bea Lowick's customers were busy folding clothes last year, the
security system at her Carbondale, Colo., laundromat was also hard at work.
Though she didn't know it, Ms. Lowick's Digital ID View video recorder was
scanning the internet for places to spread a strain of malicious software
called Mirai, a computer virus that took root in more than 600,000 devices
last year.
Ms. Lowick, 59, said she wasn't aware the device was doing anything other
than acting up. Her remote-viewing app kept disconnecting. She was able to
reconnect it by restarting the digital video recorder.
"I would have to go in and unplug and plug in the DVR" to fix
it, Ms. Lowick said, adding that she didn't know that unwanted software was
to blame.
The culprit went unnoticed because Mirai usually doesn't take full control
of its hosts but rather uses their computing power to attack websites, many
of them halfway around the globe. Most victims aren't aware they are
infected. Researchers at two independent security firms confirmed a device
using the laundromat's internet address hosted the virus.
Bill Knapp, who installed the laundromat's surveillance system, said he
learned of the virus after being notified by a reporter.
"One of the hardest parts of this business is that everyone loses
their passwords," said Mr. Knapp, owner of Security Solutions LLC. When
Ms. Lowick forgot her password, he said, Digital ID View would reset the DVR
to its default password, "123456" -- a weak but common option that
opens the door to attackers.
A wave of inexpensive webcams, thermostats and other internet-connected
devices are hitting the market, many of them carrying minimal safeguards
against remote hacking. Hundreds of thousands of these machines already host
malicious software, unbeknown to their owners.
Security researchers are constantly finding new flaws in connected
devices. Some allow voyeurs to peer into internet-enabled cameras. Others
give hackers a jumping-off point to infect nearby computers where
bank-account information and other sensitive data can be pilfered.
Newfound
Bugs Expose Webcams' Vulnerabilities
Researchers in recent weeks discovered a laundry list of vulnerabilities
that leave web cameras and digital video recorders open to hacking, often
because the devices continue to run outdated software.
Earlier this month, independent security researcher Pierre Kim named seven
bugs afflicting more than 1,200 webcam models, allowing attackers to bypass
firewalls, log into the devices with a preprogrammed "backdoor"
account or watch a live stream of the cameras without signing in at all.
Mr. Kim advised owners of the affected cameras to immediately disconnect
them from the internet, noting that hundreds of thousands of the devices are
vulnerable to one bug and millions more could be accessed through another
security flaw.
Manufacturers are expected to add another 2.5 billion connected devices,
from laptops to lightbulbs, to the market this year, according to IHS Markit
Research. Many are programmed to download the latest security updates out of
the box, but others require their owners to do it manually.
To summarize, in today's world pretty much everything could be watching
you and sharing that data with governments or hackers. And as embarrassing as
it might be to have videos of your private habits appear on YouTube, having
your finances compromised might be a lot worse. What if, for instance, your
laptop watches you sign into your online broker, or your thermostat sees
where you hide the next batch of silver coins?
The upshot: You can save lots of money and invest it brilliantly -- and
still lose it to this new generation of predators. There are, however, some
basic precautions that will help. Also from yesterday's WSJ:
How to Secure Your Smart Home
Spotting computer viruses is getting harder as threats spread from
well-protected PCs and phones to cars and household appliances with fewer
safeguards. Experts say it's hard for consumers to detect all viruses, but
users can still follow a few low-tech steps to protect their homes.
Many computer viruses found on home routers, digital video recorders and
cameras won't survive a hard reset. That is because the unwanted software
lodges itself in the machine's temporary memory banks instead of its
permanent storage. Powering off the machines if you suspect an infection can
help clear the most basic malicious software.
Quarantine Before Curing
Malware can reinfect clean devices in seconds, so it is important to sever
the machines' pathway to the internet before restoring power. You can still
access the equipment's login screen over home Wi-Fi, but first you should
disconnect your Wi-Fi from the internet to prevent instant reinfection. And
many devices don't need go back online to work, even if they're internet
capable. "Pretty much, if you don't need it or aren't using it, don't be
afraid to turn it off, mute it or unplug it," says Yolonda Smith,
product manager for security firm Pwnie Express.
Fix the Password
Before restoring internet access, use the machine's control panel --
accessible over Wi-Fi from any nearby laptop or desktop -- to reset the
password. Some of the most powerful computer worms spread by exploiting
devices' default credentials, which can be "admin" and
"12345." A unique username and password will protect the machine
from many of the threats plaguing the internet.
Stay Up-to-date
Most responsible manufacturers offer software patches once they're aware of
a security vulnerability, but many companies leave it up to the user to take
the initiative. If a company offers smartphone- or desktop-management
software, download it and make sure automatic updates are enabled. Steer
clear of any internet-ready device that isn't able to patch itself.
Batten Down the Hatches
Home routers usually ship with a preinstalled firewall -- an electronic
barrier that filters unwanted internet traffic. But not all firewalls are of
equal strength. Many homeowners can tweak their router or modem settings to
apply stricter rules to suspicious internet traffic. If you're very worried,
you can buy specialized firewall equipment, which has come down in price in
recent years.