feature article
Subscribe Now

This Apocalypse Brought to You by the IoT

Goodbye to Los Angeles, Chicago, and Ohio, said the Webcam

Last January, the speaker in a Nest Cam indoor home security camera blared out a piercing alarm in Laura Lyons’ living room in Orinda, California. Alarming news followed the alert tone: North Korea had just launched ICBM’s at Los Angeles, Chicago, and Ohio. (Who knows what the North Korean regime has against Ohio?) The warning gave residents three hours to evacuate the targeted areas. Months later, it’s clear that no missiles were launched. Nothing happened. Nothing blew up. Los Angeles, Chicago, and the entire state of Ohio were all still there, last time I checked.

The Lyons’ family was the victim of a ghastly fraud, brought to their living room by the poor security built into nearly every IoT device. (See “Do This now! Before the IoT Security Tsunami Hits.”) It’s not really a problem of the security technology, it’s a failure of the social engineering assumptions built into the security technology.

The Lyons’ security camera was hacked for the simplest of reasons: an insecure password. The security assumptions built into the Nest Cam’s software were based on the idea that people will use sufficiently complex passwords to protect against hacking. A quick trip to Insecam will give you some idea of how many insecure and poorly secured Webcams there are in the world. The site tells you up front:

“The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”

However, Insecam no longer gives you access to all of the insecure Webcams it once did. Some amount of filtering of Webcam IP addresses has taken place on the site to try to avoid a repeat of the Lyons’ apocalyptic incident. Don’t get too comfortable, however. There are millions of Webcams on the Internet at this point, and here’s what Insecam’s home page has to say about that:

“Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera. If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

My guess is that 99.9999 percent of all Webcam users don’t know that Insecam even exists, which means they won’t be asking Insecam to remove their Webcams from the list. Further, I’m guessing that a similar percentage of EEJournal readers, a fairly sophisticated segment of the general population when it comes to networking, also didn’t know about Insecam before reading this article. However, hackers do.

The Lyons’ apocalyptic experience is not unique. Last year, a wireless baby monitor in a child’s bedroom in Texas issued a string of expletives followed by a kidnapping threat. A hacker had taken control of the monitor’s speaker. A “white hat hacker” from Canada took over yet another Nest Web cam, this one belonging a realtor in Arizona, to warn the owner that his camera was vulnerable to hacking. Good thing the hacker was wearing a white hat.

In all of these instances, passwords were broken.

In my opinion, these incidents do not represent breakdowns of the IoT devices’ security stack. Cracking passwords, often default passwords, provides a much simpler entrée into the devices.

Is this the fault of the IoT industry? In my opinion, it is.

Consumers are not network engineers. Giving consumers a default password is inherently a bad idea if it’s the same password in every similar manufactured device, whether it’s a Webcam or a network router. Default passwords are an open invitation to simple hacking, amplified by the natural sloth we all have when it comes to “non-essential” things like security.

If auto insurance were not mandated by law, few drivers would carry auto insurance. Even though auto insurance is mandated by law, a 2017 study conducted by the Insurance Research Council (IRC) found that 13 percent of motorists, about one in eight drivers that you pass on the road every day, was uninsured in 2015. My father, a personal injury attorney, used to say when passing a beat up old vehicle, “That car has uninsured motorist written all over it.” He didn’t need a study. He knew from experience.

Based on very little data except for the existence of sites like Insecam, I’m guessing that there are more Webcams on the Internet with default passwords than there are Webcams with a non-default password, let alone hack-resistant passwords.

In the case of the Texas incident, Houston’s KPRC Channel 2 contacted Nest and reported the company’s response:

“We have seen instances where customers reused passwords that were previously exposed through breaches on other websites and published publicly … Reusing compromised passwords can expose customers to other people using the credentials to log into their Nest account and potentially other websites and services … We are now also rolling out changes to proactively prevent customers from using a password compromised in a public breach as their Nest password.”

Well, lesson learned for Nest, but perhaps not for the rest of the industry.

It’s worth repeating some advice from McAffee’s solution brief titled “Secure IoT Devices to Protect Against Attacks”:

“Attackers follow the path of least resistance to gain control of IoT devices. Usually, this is through weak credentials. But they can adapt to strong credentials and other security controls. This is the pattern we have seen with many attack vectors. McAfee recommends blocking known exploits and likely future maneuvers by attackers…

“IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. Establish and test basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users. Products in the future will be more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer; future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive. IoT device buyers should examine a potential purchase with this in mind. Has the manufacturer designed and architected the IoT device with security in mind?”

IoT devices, including security cameras, provide significant benefits to consumers and to industry, and I’m not naïve enough to believe that all IoT devices will shortly become better secured against hacking. Where there’s no regulation or enforcement of said regulations, there’s no protection. As my auto-insurance example demonstrates, there can be widespread disregard of laws and regulations even when and where they exist. It’s really up to each of us in the design community to take a stand against the kind of gross vulnerability we’re already building into IoT devices.

What will you do about it?

One thought on “This Apocalypse Brought to You by the IoT”

  1. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our IoT Training

Leave a Reply

featured blogs
May 8, 2024
Learn how artificial intelligence of things (AIoT) applications at the edge rely on TSMC's N12e manufacturing processes and specialized semiconductor IP.The post How Synopsys IP and TSMC’s N12e Process are Driving AIoT appeared first on Chip Design....
May 2, 2024
I'm envisioning what one of these pieces would look like on the wall of my office. It would look awesome!...

featured video

Why Wiwynn Energy-Optimized Data Center IT Solutions Use Cadence Optimality Explorer

Sponsored by Cadence Design Systems

In the AI era, as the signal-data rate increases, the signal integrity challenges in server designs also increase. Wiwynn provides hyperscale data centers with innovative cloud IT infrastructure, bringing the best total cost of ownership (TCO), energy, and energy-itemized IT solutions from the cloud to the edge.

Learn more about how Wiwynn is developing a new methodology for PCB designs with Cadence’s Optimality Intelligent System Explorer and Clarity 3D Solver.

featured paper

Designing Robust 5G Power Amplifiers for the Real World

Sponsored by Keysight

Simulating 5G power amplifier (PA) designs at the component and system levels with authentic modulation and high-fidelity behavioral models increases predictability, lowers risk, and shrinks schedules. Simulation software enables multi-technology layout and multi-domain analysis, evaluating the impacts of 5G PA design choices while delivering accurate results in a single virtual workspace. This application note delves into how authentic modulation enhances predictability and performance in 5G millimeter-wave systems.

Download now to revolutionize your design process.

featured chalk talk

Exploring the Potential of 5G in Both Public and Private Networks – Advantech and Mouser
Sponsored by Mouser Electronics and Advantech
In this episode of Chalk Talk, Amelia Dalton and Andrew Chen from Advantech investigate how we can revolutionize connectivity with 5G in public and private networks. They explore the role that 5G plays in autonomous vehicles, smart traffic systems, and public safety infrastructure and the solutions that Advantech offers in this arena.
Apr 1, 2024
6,978 views