feature article
Subscribe Now

This Apocalypse Brought to You by the IoT

Goodbye to Los Angeles, Chicago, and Ohio, said the Webcam

Last January, the speaker in a Nest Cam indoor home security camera blared out a piercing alarm in Laura Lyons’ living room in Orinda, California. Alarming news followed the alert tone: North Korea had just launched ICBM’s at Los Angeles, Chicago, and Ohio. (Who knows what the North Korean regime has against Ohio?) The warning gave residents three hours to evacuate the targeted areas. Months later, it’s clear that no missiles were launched. Nothing happened. Nothing blew up. Los Angeles, Chicago, and the entire state of Ohio were all still there, last time I checked.

The Lyons’ family was the victim of a ghastly fraud, brought to their living room by the poor security built into nearly every IoT device. (See “Do This now! Before the IoT Security Tsunami Hits.”) It’s not really a problem of the security technology, it’s a failure of the social engineering assumptions built into the security technology.

The Lyons’ security camera was hacked for the simplest of reasons: an insecure password. The security assumptions built into the Nest Cam’s software were based on the idea that people will use sufficiently complex passwords to protect against hacking. A quick trip to Insecam will give you some idea of how many insecure and poorly secured Webcams there are in the world. The site tells you up front:

“The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”

However, Insecam no longer gives you access to all of the insecure Webcams it once did. Some amount of filtering of Webcam IP addresses has taken place on the site to try to avoid a repeat of the Lyons’ apocalyptic incident. Don’t get too comfortable, however. There are millions of Webcams on the Internet at this point, and here’s what Insecam’s home page has to say about that:

“Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera. If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

My guess is that 99.9999 percent of all Webcam users don’t know that Insecam even exists, which means they won’t be asking Insecam to remove their Webcams from the list. Further, I’m guessing that a similar percentage of EEJournal readers, a fairly sophisticated segment of the general population when it comes to networking, also didn’t know about Insecam before reading this article. However, hackers do.

The Lyons’ apocalyptic experience is not unique. Last year, a wireless baby monitor in a child’s bedroom in Texas issued a string of expletives followed by a kidnapping threat. A hacker had taken control of the monitor’s speaker. A “white hat hacker” from Canada took over yet another Nest Web cam, this one belonging a realtor in Arizona, to warn the owner that his camera was vulnerable to hacking. Good thing the hacker was wearing a white hat.

In all of these instances, passwords were broken.

In my opinion, these incidents do not represent breakdowns of the IoT devices’ security stack. Cracking passwords, often default passwords, provides a much simpler entrée into the devices.

Is this the fault of the IoT industry? In my opinion, it is.

Consumers are not network engineers. Giving consumers a default password is inherently a bad idea if it’s the same password in every similar manufactured device, whether it’s a Webcam or a network router. Default passwords are an open invitation to simple hacking, amplified by the natural sloth we all have when it comes to “non-essential” things like security.

If auto insurance were not mandated by law, few drivers would carry auto insurance. Even though auto insurance is mandated by law, a 2017 study conducted by the Insurance Research Council (IRC) found that 13 percent of motorists, about one in eight drivers that you pass on the road every day, was uninsured in 2015. My father, a personal injury attorney, used to say when passing a beat up old vehicle, “That car has uninsured motorist written all over it.” He didn’t need a study. He knew from experience.

Based on very little data except for the existence of sites like Insecam, I’m guessing that there are more Webcams on the Internet with default passwords than there are Webcams with a non-default password, let alone hack-resistant passwords.

In the case of the Texas incident, Houston’s KPRC Channel 2 contacted Nest and reported the company’s response:

“We have seen instances where customers reused passwords that were previously exposed through breaches on other websites and published publicly … Reusing compromised passwords can expose customers to other people using the credentials to log into their Nest account and potentially other websites and services … We are now also rolling out changes to proactively prevent customers from using a password compromised in a public breach as their Nest password.”

Well, lesson learned for Nest, but perhaps not for the rest of the industry.

It’s worth repeating some advice from McAffee’s solution brief titled “Secure IoT Devices to Protect Against Attacks”:

“Attackers follow the path of least resistance to gain control of IoT devices. Usually, this is through weak credentials. But they can adapt to strong credentials and other security controls. This is the pattern we have seen with many attack vectors. McAfee recommends blocking known exploits and likely future maneuvers by attackers…

“IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. Establish and test basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users. Products in the future will be more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer; future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive. IoT device buyers should examine a potential purchase with this in mind. Has the manufacturer designed and architected the IoT device with security in mind?”

IoT devices, including security cameras, provide significant benefits to consumers and to industry, and I’m not naïve enough to believe that all IoT devices will shortly become better secured against hacking. Where there’s no regulation or enforcement of said regulations, there’s no protection. As my auto-insurance example demonstrates, there can be widespread disregard of laws and regulations even when and where they exist. It’s really up to each of us in the design community to take a stand against the kind of gross vulnerability we’re already building into IoT devices.

What will you do about it?

One thought on “This Apocalypse Brought to You by the IoT”

  1. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our IoT Training

Leave a Reply

featured blogs
Oct 23, 2020
The Covid-19 pandemic continues to impact our lives in both expected and unexpected ways. Unfortunately, one of the expected ways is a drop in charitable donations. Analysts predict anywhere from a 6% decrease '€“ with many planning for a bigger decline than that. Also, mor...
Oct 23, 2020
[From the last episode: We noted that some inventions, like in-memory compute, aren'€™t intuitive, being driven instead by the math.] We have one more addition to add to our in-memory compute system. Remember that, when we use a regular memory, what goes in is an address '...
Oct 23, 2020
Any suggestions for a 4x4 keypad in which the keys aren'€™t wobbly and you don'€™t have to strike a key dead center for it to make contact?...
Oct 23, 2020
At 11:10am Korean time this morning, Cadence's Elias Fallon delivered one of the keynotes at ISOCC (International System On Chip Conference). It was titled EDA and Machine Learning: The Next Leap... [[ Click on the title to access the full blog on the Cadence Community ...

featured video

Demo: Low-Power Machine Learning Inference with DesignWare ARC EM9D Processor IP

Sponsored by Synopsys

Applications that require sensing on a continuous basis are always on and often battery operated. In this video, the low-power ARC EM9D Processors run a handwriting character recognition neural network graph to infer the letter that is written.

Click here for more information about DesignWare ARC EM9D / EM11D Processors

featured Paper

New package technology improves EMI and thermal performance with smaller solution size

Sponsored by Texas Instruments

Power supply designers have a new tool in their effort to achieve balance between efficiency, size, and thermal performance with DC/DC power modules. The Enhanced HotRod™ QFN package technology from Texas Instruments enables engineers to address design challenges with an easy-to-use footprint that resembles a standard QFN. This new package type combines the advantages of flip-chip-on-lead with the improved thermal performance presented by a large thermal die attach pad (DAP).

Click here to download the whitepaper

Featured Chalk Talk

Automotive MOSFET for the Transportation Market

Sponsored by Mouser Electronics and Infineon

MOSFETS are critical in automotive applications, where long-term reliability is paramount. But, do we really understand the failure rates and mechanisms in the devices we design in? In this episode of Chalk Talk, Amelia Dalton sits down with Jeff Darrow of Infineon to discuss the role of MOSFETS in transportation, solder inspection, qualification.

Click here for more information about Infineon Technologies OptiMOS™ 5 Power MOSFETs