feature article
Subscribe Now

This Apocalypse Brought to You by the IoT

Goodbye to Los Angeles, Chicago, and Ohio, said the Webcam

Last January, the speaker in a Nest Cam indoor home security camera blared out a piercing alarm in Laura Lyons’ living room in Orinda, California. Alarming news followed the alert tone: North Korea had just launched ICBM’s at Los Angeles, Chicago, and Ohio. (Who knows what the North Korean regime has against Ohio?) The warning gave residents three hours to evacuate the targeted areas. Months later, it’s clear that no missiles were launched. Nothing happened. Nothing blew up. Los Angeles, Chicago, and the entire state of Ohio were all still there, last time I checked.

The Lyons’ family was the victim of a ghastly fraud, brought to their living room by the poor security built into nearly every IoT device. (See “Do This now! Before the IoT Security Tsunami Hits.”) It’s not really a problem of the security technology, it’s a failure of the social engineering assumptions built into the security technology.

The Lyons’ security camera was hacked for the simplest of reasons: an insecure password. The security assumptions built into the Nest Cam’s software were based on the idea that people will use sufficiently complex passwords to protect against hacking. A quick trip to Insecam will give you some idea of how many insecure and poorly secured Webcams there are in the world. The site tells you up front:

“The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”

However, Insecam no longer gives you access to all of the insecure Webcams it once did. Some amount of filtering of Webcam IP addresses has taken place on the site to try to avoid a repeat of the Lyons’ apocalyptic incident. Don’t get too comfortable, however. There are millions of Webcams on the Internet at this point, and here’s what Insecam’s home page has to say about that:

“Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera. If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

My guess is that 99.9999 percent of all Webcam users don’t know that Insecam even exists, which means they won’t be asking Insecam to remove their Webcams from the list. Further, I’m guessing that a similar percentage of EEJournal readers, a fairly sophisticated segment of the general population when it comes to networking, also didn’t know about Insecam before reading this article. However, hackers do.

The Lyons’ apocalyptic experience is not unique. Last year, a wireless baby monitor in a child’s bedroom in Texas issued a string of expletives followed by a kidnapping threat. A hacker had taken control of the monitor’s speaker. A “white hat hacker” from Canada took over yet another Nest Web cam, this one belonging a realtor in Arizona, to warn the owner that his camera was vulnerable to hacking. Good thing the hacker was wearing a white hat.

In all of these instances, passwords were broken.

In my opinion, these incidents do not represent breakdowns of the IoT devices’ security stack. Cracking passwords, often default passwords, provides a much simpler entrée into the devices.

Is this the fault of the IoT industry? In my opinion, it is.

Consumers are not network engineers. Giving consumers a default password is inherently a bad idea if it’s the same password in every similar manufactured device, whether it’s a Webcam or a network router. Default passwords are an open invitation to simple hacking, amplified by the natural sloth we all have when it comes to “non-essential” things like security.

If auto insurance were not mandated by law, few drivers would carry auto insurance. Even though auto insurance is mandated by law, a 2017 study conducted by the Insurance Research Council (IRC) found that 13 percent of motorists, about one in eight drivers that you pass on the road every day, was uninsured in 2015. My father, a personal injury attorney, used to say when passing a beat up old vehicle, “That car has uninsured motorist written all over it.” He didn’t need a study. He knew from experience.

Based on very little data except for the existence of sites like Insecam, I’m guessing that there are more Webcams on the Internet with default passwords than there are Webcams with a non-default password, let alone hack-resistant passwords.

In the case of the Texas incident, Houston’s KPRC Channel 2 contacted Nest and reported the company’s response:

“We have seen instances where customers reused passwords that were previously exposed through breaches on other websites and published publicly … Reusing compromised passwords can expose customers to other people using the credentials to log into their Nest account and potentially other websites and services … We are now also rolling out changes to proactively prevent customers from using a password compromised in a public breach as their Nest password.”

Well, lesson learned for Nest, but perhaps not for the rest of the industry.

It’s worth repeating some advice from McAffee’s solution brief titled “Secure IoT Devices to Protect Against Attacks”:

“Attackers follow the path of least resistance to gain control of IoT devices. Usually, this is through weak credentials. But they can adapt to strong credentials and other security controls. This is the pattern we have seen with many attack vectors. McAfee recommends blocking known exploits and likely future maneuvers by attackers…

“IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. Establish and test basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users. Products in the future will be more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer; future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive. IoT device buyers should examine a potential purchase with this in mind. Has the manufacturer designed and architected the IoT device with security in mind?”

IoT devices, including security cameras, provide significant benefits to consumers and to industry, and I’m not naïve enough to believe that all IoT devices will shortly become better secured against hacking. Where there’s no regulation or enforcement of said regulations, there’s no protection. As my auto-insurance example demonstrates, there can be widespread disregard of laws and regulations even when and where they exist. It’s really up to each of us in the design community to take a stand against the kind of gross vulnerability we’re already building into IoT devices.

What will you do about it?

One thought on “This Apocalypse Brought to You by the IoT”

  1. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our IoT Training

Leave a Reply

featured blogs
Jul 3, 2020
[From the last episode: We looked at CNNs for vision as well as other neural networks for other applications.] We'€™re going to take a quick detour into math today. For those of you that have done advanced math, this may be a review, or it might even seem to be talking down...
Jul 2, 2020
Using the bitwise operators in general -- and employing them to perform masking, bit testing, and bit setting/clearing operations in particular -- can be extremely efficacious....
Jul 2, 2020
In June, we continued to upgrade several key pieces of content across the website, including more interactive product explorers on several pages and a homepage refresh. We also made a significant update to our product pages which allows logged-in users to see customer-specifi...

Featured Video

Product Update: Advances in DesignWare Die-to-Die PHY IP

Sponsored by Synopsys

Hear the latest about Synopsys' DesignWare Die-to-Die PHY IP for SerDes-based 112G USR/XSR and parallel-based HBI interfaces. The IP, available in advanced FinFET processes, addresses the power, bandwidth, and latency requirements of high-performance computing SoCs targeting hyperscale data center, AI, and networking applications.

Click here for more information about DesignWare Die-to-Die PHY IP Solutions

Featured Paper

Cryptography: How It Helps in Our Digital World

Sponsored by Maxim Integrated

Gain a basic understanding of how cryptography works and how cryptography can help you protect your designs from security threats.

Click here to download the whitepaper

Featured Chalk Talk

ROHM BD71847AMWV PMIC for the NXP i.MM 8M Mini

Sponsored by Mouser Electronics and ROHM Semiconductor

Designing-in a power supply for today’s remarkable applications processors can be a hurdle for many embedded design teams. Creating a solutions that’s small, efficient, and inexpensive demands considerable engineering time and expertise. In this episode of Chalk Talk, Amelia Dalton chats with Kristopher Bahar of ROHM about some new power management ICs that are small, efficient, and inexpensive.

Click here for more information about ROHM Semiconductor BD71847AMWV Programmable Power Management IC