feature article
Subscribe Now

This Apocalypse Brought to You by the IoT

Goodbye to Los Angeles, Chicago, and Ohio, said the Webcam

Last January, the speaker in a Nest Cam indoor home security camera blared out a piercing alarm in Laura Lyons’ living room in Orinda, California. Alarming news followed the alert tone: North Korea had just launched ICBM’s at Los Angeles, Chicago, and Ohio. (Who knows what the North Korean regime has against Ohio?) The warning gave residents three hours to evacuate the targeted areas. Months later, it’s clear that no missiles were launched. Nothing happened. Nothing blew up. Los Angeles, Chicago, and the entire state of Ohio were all still there, last time I checked.

The Lyons’ family was the victim of a ghastly fraud, brought to their living room by the poor security built into nearly every IoT device. (See “Do This now! Before the IoT Security Tsunami Hits.”) It’s not really a problem of the security technology, it’s a failure of the social engineering assumptions built into the security technology.

The Lyons’ security camera was hacked for the simplest of reasons: an insecure password. The security assumptions built into the Nest Cam’s software were based on the idea that people will use sufficiently complex passwords to protect against hacking. A quick trip to Insecam will give you some idea of how many insecure and poorly secured Webcams there are in the world. The site tells you up front:

“The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”

However, Insecam no longer gives you access to all of the insecure Webcams it once did. Some amount of filtering of Webcam IP addresses has taken place on the site to try to avoid a repeat of the Lyons’ apocalyptic incident. Don’t get too comfortable, however. There are millions of Webcams on the Internet at this point, and here’s what Insecam’s home page has to say about that:

“Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera. If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

My guess is that 99.9999 percent of all Webcam users don’t know that Insecam even exists, which means they won’t be asking Insecam to remove their Webcams from the list. Further, I’m guessing that a similar percentage of EEJournal readers, a fairly sophisticated segment of the general population when it comes to networking, also didn’t know about Insecam before reading this article. However, hackers do.

The Lyons’ apocalyptic experience is not unique. Last year, a wireless baby monitor in a child’s bedroom in Texas issued a string of expletives followed by a kidnapping threat. A hacker had taken control of the monitor’s speaker. A “white hat hacker” from Canada took over yet another Nest Web cam, this one belonging a realtor in Arizona, to warn the owner that his camera was vulnerable to hacking. Good thing the hacker was wearing a white hat.

In all of these instances, passwords were broken.

In my opinion, these incidents do not represent breakdowns of the IoT devices’ security stack. Cracking passwords, often default passwords, provides a much simpler entrée into the devices.

Is this the fault of the IoT industry? In my opinion, it is.

Consumers are not network engineers. Giving consumers a default password is inherently a bad idea if it’s the same password in every similar manufactured device, whether it’s a Webcam or a network router. Default passwords are an open invitation to simple hacking, amplified by the natural sloth we all have when it comes to “non-essential” things like security.

If auto insurance were not mandated by law, few drivers would carry auto insurance. Even though auto insurance is mandated by law, a 2017 study conducted by the Insurance Research Council (IRC) found that 13 percent of motorists, about one in eight drivers that you pass on the road every day, was uninsured in 2015. My father, a personal injury attorney, used to say when passing a beat up old vehicle, “That car has uninsured motorist written all over it.” He didn’t need a study. He knew from experience.

Based on very little data except for the existence of sites like Insecam, I’m guessing that there are more Webcams on the Internet with default passwords than there are Webcams with a non-default password, let alone hack-resistant passwords.

In the case of the Texas incident, Houston’s KPRC Channel 2 contacted Nest and reported the company’s response:

“We have seen instances where customers reused passwords that were previously exposed through breaches on other websites and published publicly … Reusing compromised passwords can expose customers to other people using the credentials to log into their Nest account and potentially other websites and services … We are now also rolling out changes to proactively prevent customers from using a password compromised in a public breach as their Nest password.”

Well, lesson learned for Nest, but perhaps not for the rest of the industry.

It’s worth repeating some advice from McAffee’s solution brief titled “Secure IoT Devices to Protect Against Attacks”:

“Attackers follow the path of least resistance to gain control of IoT devices. Usually, this is through weak credentials. But they can adapt to strong credentials and other security controls. This is the pattern we have seen with many attack vectors. McAfee recommends blocking known exploits and likely future maneuvers by attackers…

“IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. Establish and test basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users. Products in the future will be more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer; future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive. IoT device buyers should examine a potential purchase with this in mind. Has the manufacturer designed and architected the IoT device with security in mind?”

IoT devices, including security cameras, provide significant benefits to consumers and to industry, and I’m not naïve enough to believe that all IoT devices will shortly become better secured against hacking. Where there’s no regulation or enforcement of said regulations, there’s no protection. As my auto-insurance example demonstrates, there can be widespread disregard of laws and regulations even when and where they exist. It’s really up to each of us in the design community to take a stand against the kind of gross vulnerability we’re already building into IoT devices.

What will you do about it?

One thought on “This Apocalypse Brought to You by the IoT”

  1. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our IoT Training

Leave a Reply

featured blogs
Jun 14, 2021
By John Ferguson, Omar ElSewefy, Nermeen Hossam, Basma Serry We're all fascinated by light. Light… The post Shining a light on silicon photonics verification appeared first on Design with Calibre....
Jun 14, 2021
As a Southern California native, learning to surf is a must. Traveling elsewhere and telling people you’re from California without experiencing surfing is somewhat a surprise to most people. So, I have decided to take up surfing. It takes more practice than most people ...
Jun 14, 2021
The Cryptographers' Panel was moderated by RSA's Zulfikar Ramzan, and featured Ron Rivest (the R of RSA), Adi Shamir (the S of RSA), Ross Anderson (professor of security engineering at... [[ Click on the title to access the full blog on the Cadence Community site. ...
Jun 10, 2021
Data & analytics have a massive impact on the chip design process; we explore how fast/precise chip data analytics solutions improve IC design quality & yield. The post The Importance of Chip Manufacturing & Test Data Analytics in the Semiconductor Industry ap...

featured video

Kyocera Super Resolution Printer with ARC EV Vision IP

Sponsored by Synopsys

See the amazing image processing features that Kyocera’s TASKalfa 3554ci brings to their customers.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured paper

Make wearable and IOT audio effortless with a plug'n'play class D amplifier

Sponsored by Maxim Integrated

A power-hungry display is not the most efficient medium for interfacing with battery-powered portable, wearable, and IoT devices. For this reason, low-power audio is fast becoming a more popular alternative. In this design solution, Maxim Integrated reviews the class D digital audio amplifier and discusses the constraints of some current solutions before presenting a cleverly packaged IC that requires minimal configuration to quickly bring high-quality audio to these applications.

Click to read more

featured chalk talk

Accelerating Innovation at the Edge with Xilinx Adaptive System on Modules

Sponsored by Xilinx

The combination of system-on-module technology with advanced SoCs with programmable logic offer the ultimate in functionality, performance, flexibility, power efficiency, and ease of use. In this episode of Chalk Talk, Amelia Dalton chats with Karan Kantharia of Xilinx about the new Kira SOM, and how it enables faster time-to-deployment versus conventional component-based design.

Click here for more information about Kria Adaptive System-on-Modules