Beauty and The Beast set me up with some unrealistic expectations of my household furnishings. Whilst the Internet of Things (IoT) may not yet have given candelabras a quippy sentience, it has given standard home fixtures a secret life. However, this isn't quite the heart-warming picture Disney painted for us.
Our connected home products, often equipped with factory-default security settings, are easy pickings for hackers. But before you sigh, and ask 'But why on earth would a gang want to hack a toaster', consider this: their motivation isn't always your personal information. What they're sometimes seeking is the bandwidth that those billions of vulnerable connected devices provide when connected as a botnet.
The weaponisation of the Internet of Things has taken many consumer tech brands by surprise. You might remember the cyberattacks that took down major websites across the globe late last year. The servers and hosting services which control a big part of the internet's domain name systems were attacked by the Mirai botnet and disrupted many popular websites we use daily. The botnet issued a DDoS attack (Distributed Denial of Service), where it overwhelmed the servers and hosting providers with requests and slowed websites like Netflix, The Guardian and Twitter to a halt.
Though attacks like this might seem a million miles away, they are getting closer to home. The UK has the 7th highest bot population in the world and London has the 10th highest bot population out of all the world's cities.
The Mirai botnet works by exploiting the weak security on many Internet of Things (IoT) devices such as routers, webcams, and many more. It operates by continuously scanning for IoT devices that are accessible over the internet and are protected by factory default or hardcoded user names and passwords. Devices could be compromised within minutes of going online.
As the Internet of Things (IoT) is connecting everything from fridges and kettles to baby monitors and televisions, it's time to ask, could my connected devices be part of that botnet attack?
What are bots?
A bot is an infected device that is controlled remotely and performs tasks on command. Bots seek to spread across other vulnerable connected devices, like connected home products, to create a botnet. A botnet is nothing more than a string of connected computers, laptops and other Internet enabled devices coordinated together to perform a task. For a botnet controlled or hired by a hacker, this co-ordinated power is often used in a malicious manner. The malware on each bot remains dormant on an infected device until instructed to attack. Once in attack-mode, they can execute any system command they want. The four most common methods are:
- Send spam and viruses to a device's contact list to spread the botnet
- Steal personal details
- Cause Distributed Denial of Service (DDoS) attacks - attacks that can take down major websites and online services by overwhelming its servers with requests
- Perform click fraud - imitating human clicks on adverts and web assets to make money via pay per click schemes
So, what do hacker's gain from this?
Hackers can make profit from bots both by stealing a person's bank details, and through DDoS attacks, whereby attackers hold website owners to ransom: pay or risk losing your site.
Other hackers, known as 'Hacktivists', can have different motives. They may gain access to classified company or government files with the intention to use, leak or destroy sensitive information and documents.
Some groups create bots simply for the fun of it. You might have heard about the DDoS attack on the social media site, Tumblr, back in December. A group called R.I.U Star Pilot claimed responsibility for the attacks, telling Mashable that they did the attacks as a bit of "light-hearted fun".
How can we protect our connected devices?
As yet, there is no hard and fast way to ensure all our connected home devices can remain protected from bot attacks. That said, there are several steps that will ensure devices are not as vulnerable to attackers as they might otherwise be.
- Review/research the reputation, capabilities, and security features of a smart device before purchase.
- Set-up and/or change the default login and password information on your router and all the devices connected to your home network. Most importantly, always use strong and unique passwords for your router, smart devices, and your Wi-Fi network(s).
- Use a strong encryption method when setting up Wi-Fi network access (WPA).
- Consider disabling features and services you do not use or are not required.
- Modify the default privacy and security settings of your smart devices per your needs.
- Consider turning off or disabling your smart devices and home network when not in use.
- Review the settings of voice-activated features and commands for potential privacy risks and change them according to your needs.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Consider using wired connections instead of a Wi-Fi connection where possible.
- Regularly check manufacturers' websites for software updates and patches.
- Exercise caution when sharing sensitive information, such as your Wi-Fi password, with others. Consider setting up a specific network for guest use.
- Don't use your real name when "naming" your device and Wi-Fi network.
- Consider the hidden costs of "free" services and products.
- Use security software if it is available.