Home Automation and Cryptography Expert on DDoS Attack: Don’t Blame IoT
Blaming last week’s Internet outage on the rise of connected devices is just a convenient meme, says encryption expert Will Price, founder of the home automation provider Simple Control (Roomie Remote).
The widespread Internet outage last week has been traced to the infection of some 500,000 IP cameras and DVRs made by a single company in China – Hangzhou Xiongmai Technology – that shipped devices with weak default passwords.
But don’t indict the entire category of smart-home devices and the Internet of Things, says Will Price, founder of the home automation developer Simple Control (Roomie Remote) and an expert cryptographer who co-founded PGP, the company behind the most widely used email encryption software in the world (ultimately acquired by Symantec).
“A popular meme is that this [DDoS attack] is related to the ‘Internet of Things,’ but that's just a marketing buzzword,” Price tells CE Pro. “Very specific network camera DVRs and camera firmware was involved in this particular attack. The budding Internet of Things has no more to do with this than the advent of the Internet caused Windows XP security problems. It is the vendors releasing products not properly secured that are at fault.”
In this case, a botnet scoured the Internet for easy targets, trying 68 combinations of user names and passwords, such as “admin” and “12345,” depositing “Mirai” malware on vulnerable devices and then commanding the devices to flood the Web.
The hackers have released the source code used in the attack, so copycat crimes are inevitable.
“This is an infrastructure attack,” Price notes. “Regular users are not threatened by this.”
Even so, the disruption was a stark reminder to consumers that factory-set passwords need to be changed for all connected devices and a wake-up call to manufacturers to quit enabling hackable credentials.
How to Find Default Passwords: Online User Manuals
Security expert Brian Krebs of the eponymous site performed a quick online review of devices with pre-set usernames and passwords, simply by looking for the information in the manufacturers’ installation guides.
His list of potentially vulnerable devices include a Samsung Camera (admin/1111111), Ubiquiti AirOS Router (ubnt/ubnt), Axis IP cameras (root/pass), Panasonic printer (root/00000000) and numerous cameras and DVRs from Dahua, HiSilicon and others.
Price suggests, “Information on patching or even disconnecting vulnerable devices by specific models from the Internet needs to be more available – the equivalent of the airlines now announcing on every flight that Galaxy Note 7 devices are not allowed.”
Manufacturers should be publicly flogged for shipping smart devices with dumb defaults – or something like that.
“Vendors that continue to release products unpatched and vulnerable to these kinds of issues must be named and openly identified (usually end users have no idea this is even happening on their network) and for repeat offenders, shamed,” Price says.
Thwarting DDoS and other network attacks should be a national priority, he adds.
“DDoS is the primary attack mechanism in use today and defending against it requires needs nation-level oversight over routing and automatic DDoS detection and defense,” according to Price. “This infrastructure does not exist today so each of these events requires effectively a one-off solution.”
As it happens, the attack coincides with the U.S. government’s surrender of the Domain Name System (DNS) to an international body, ICANN. The target of the attack was Dyn, a major DNS provider.
“The U.S. is now in a much more precarious position than it was previously relative to DNS attacks,” Price says.
He warns that this most recent attack was just a practice run, like the test fire of a missile – “a warning that we need to get our infrastructure in place to defend in the future against significantly improved versions of this attack.”
In the meantime, change those usernames and passwords, people.
We're Looking for Your BEST Projects
Don’t miss your chance to enter to win a 2019 BEST Projects Award. We’ll be announcing winners at a special Gala event at CEDIA EXPO. We can’t wait to see what you’ve been up to this year! Enter your projects now.
Julie Jacobson is founding editor of CE Pro, the leading media brand for the home-technology channel. She has covered the smart-home industry since 1994, long before there was much of an Internet, let alone an Internet of things. Currently she studies, speaks, writes and rabble-rouses in the areas of home automation, security, networked A/V, wellness-related technology, biophilic design, and the business of home technology. Julie majored in Economics at the University of Michigan, spent a year abroad at Cambridge University, and earned an MBA from the University of Texas at Austin. She is a recipient of the annual CTA TechHome Leadership Award, and a CEDIA Fellows honoree. A washed-up Ultimate Frisbee player, Julie currently resides in San Antonio, Texas and sometimes St. Paul, Minn. Follow on Twitter: @juliejacobson Email Julie at email@example.com
Networking & CablesStudio Six Digital dBPod Enables Integrators to Measure SPL Readings Remotely
Product Briefs: CEDIA White Papers; Meridian Live; MQA Adoption Grows
Bobwire DAT1 Audio Trigger Adds 12-Volt Trigger to Any A/V Device
New Tigerpaw Software Focuses on User Experience
For Networking Geeks Only: Why Router-on-a-Stick is Good
View more on Networking & Cables