feature article
Subscribe Now

This Apocalypse Brought to You by the IoT

Goodbye to Los Angeles, Chicago, and Ohio, said the Webcam

Last January, the speaker in a Nest Cam indoor home security camera blared out a piercing alarm in Laura Lyons’ living room in Orinda, California. Alarming news followed the alert tone: North Korea had just launched ICBM’s at Los Angeles, Chicago, and Ohio. (Who knows what the North Korean regime has against Ohio?) The warning gave residents three hours to evacuate the targeted areas. Months later, it’s clear that no missiles were launched. Nothing happened. Nothing blew up. Los Angeles, Chicago, and the entire state of Ohio were all still there, last time I checked.

The Lyons’ family was the victim of a ghastly fraud, brought to their living room by the poor security built into nearly every IoT device. (See “Do This now! Before the IoT Security Tsunami Hits.”) It’s not really a problem of the security technology, it’s a failure of the social engineering assumptions built into the security technology.

The Lyons’ security camera was hacked for the simplest of reasons: an insecure password. The security assumptions built into the Nest Cam’s software were based on the idea that people will use sufficiently complex passwords to protect against hacking. A quick trip to Insecam will give you some idea of how many insecure and poorly secured Webcams there are in the world. The site tells you up front:

“The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”

However, Insecam no longer gives you access to all of the insecure Webcams it once did. Some amount of filtering of Webcam IP addresses has taken place on the site to try to avoid a repeat of the Lyons’ apocalyptic incident. Don’t get too comfortable, however. There are millions of Webcams on the Internet at this point, and here’s what Insecam’s home page has to say about that:

“Any private or unethical camera will be removed immediately upon e-mail complaint. Please provide a direct link to help facilitate the prompt removal of the camera. If you do not want to contact us by e-mail, you can still remove your camera from Insecam. The only thing you need to do is to set the password of your camera.”

My guess is that 99.9999 percent of all Webcam users don’t know that Insecam even exists, which means they won’t be asking Insecam to remove their Webcams from the list. Further, I’m guessing that a similar percentage of EEJournal readers, a fairly sophisticated segment of the general population when it comes to networking, also didn’t know about Insecam before reading this article. However, hackers do.

The Lyons’ apocalyptic experience is not unique. Last year, a wireless baby monitor in a child’s bedroom in Texas issued a string of expletives followed by a kidnapping threat. A hacker had taken control of the monitor’s speaker. A “white hat hacker” from Canada took over yet another Nest Web cam, this one belonging a realtor in Arizona, to warn the owner that his camera was vulnerable to hacking. Good thing the hacker was wearing a white hat.

In all of these instances, passwords were broken.

In my opinion, these incidents do not represent breakdowns of the IoT devices’ security stack. Cracking passwords, often default passwords, provides a much simpler entrée into the devices.

Is this the fault of the IoT industry? In my opinion, it is.

Consumers are not network engineers. Giving consumers a default password is inherently a bad idea if it’s the same password in every similar manufactured device, whether it’s a Webcam or a network router. Default passwords are an open invitation to simple hacking, amplified by the natural sloth we all have when it comes to “non-essential” things like security.

If auto insurance were not mandated by law, few drivers would carry auto insurance. Even though auto insurance is mandated by law, a 2017 study conducted by the Insurance Research Council (IRC) found that 13 percent of motorists, about one in eight drivers that you pass on the road every day, was uninsured in 2015. My father, a personal injury attorney, used to say when passing a beat up old vehicle, “That car has uninsured motorist written all over it.” He didn’t need a study. He knew from experience.

Based on very little data except for the existence of sites like Insecam, I’m guessing that there are more Webcams on the Internet with default passwords than there are Webcams with a non-default password, let alone hack-resistant passwords.

In the case of the Texas incident, Houston’s KPRC Channel 2 contacted Nest and reported the company’s response:

“We have seen instances where customers reused passwords that were previously exposed through breaches on other websites and published publicly … Reusing compromised passwords can expose customers to other people using the credentials to log into their Nest account and potentially other websites and services … We are now also rolling out changes to proactively prevent customers from using a password compromised in a public breach as their Nest password.”

Well, lesson learned for Nest, but perhaps not for the rest of the industry.

It’s worth repeating some advice from McAffee’s solution brief titled “Secure IoT Devices to Protect Against Attacks”:

“Attackers follow the path of least resistance to gain control of IoT devices. Usually, this is through weak credentials. But they can adapt to strong credentials and other security controls. This is the pattern we have seen with many attack vectors. McAfee recommends blocking known exploits and likely future maneuvers by attackers…

“IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. Establish and test basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users. Products in the future will be more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer; future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive. IoT device buyers should examine a potential purchase with this in mind. Has the manufacturer designed and architected the IoT device with security in mind?”

IoT devices, including security cameras, provide significant benefits to consumers and to industry, and I’m not naïve enough to believe that all IoT devices will shortly become better secured against hacking. Where there’s no regulation or enforcement of said regulations, there’s no protection. As my auto-insurance example demonstrates, there can be widespread disregard of laws and regulations even when and where they exist. It’s really up to each of us in the design community to take a stand against the kind of gross vulnerability we’re already building into IoT devices.

What will you do about it?

One thought on “This Apocalypse Brought to You by the IoT”

  1. Great Information. Thank You Author, for sharing your valuable information about iot with us. People who are reading this blog can continue your knowledge which you gained with us and know how to apply this practically along with our IoT Training

Leave a Reply

featured blogs
Sep 30, 2022
When I wrote my book 'Bebop to the Boolean Boogie,' it was certainly not my intention to lead 6-year-old boys astray....
Sep 30, 2022
Wow, September has flown by. It's already the last Friday of the month, the last day of the month in fact, and so time for a monthly update. Kaufman Award The 2022 Kaufman Award honors Giovanni (Nanni) De Micheli of École Polytechnique Fédérale de Lausanne...
Sep 29, 2022
We explain how silicon photonics uses CMOS manufacturing to create photonic integrated circuits (PICs), solid state LiDAR sensors, integrated lasers, and more. The post What You Need to Know About Silicon Photonics appeared first on From Silicon To Software....

featured video

PCIe Gen5 x16 Running on the Achronix VectorPath Accelerator Card

Sponsored by Achronix

In this demo, Achronix engineers show the VectorPath Accelerator Card successfully linking up to a PCIe Gen5 x16 host and write data to and read data from GDDR6 memory. The VectorPath accelerator card featuring the Speedster7t FPGA is one of the first FPGAs that can natively support this interface within its PCIe subsystem. Speedster7t FPGAs offer a revolutionary new architecture that Achronix developed to address the highest performance data acceleration challenges.

Click here for more information about the VectorPath Accelerator Card

featured chalk talk

Power Multiplexing with Discrete Components

Sponsored by Mouser Electronics and Toshiba

Power multiplexing is a vital design requirement for a variety of different applications today. In this episode of Chalk Talk, Amelia Dalton chats with Talayeh Saderi from Toshiba about what kind of power multiplex solution would be the best fit for your next design. They discuss five unique design considerations that we should think about when it comes to power multiplexing and the benefits that high side gate drivers bring to power multiplexing.

Click here for more information about Toshiba Gate Driver + MOSFET for 5-24V Line Power MUX