CE Pro BEST Product Awards | CE Pro BEST Project Awards
Networking & Cables

Home Automation and Cryptography Expert on DDoS Attack: Don’t Blame IoT

Blaming last week’s Internet outage on the rise of connected devices is just a convenient meme, says encryption expert Will Price, founder of the home automation provider Simple Control (Roomie Remote).

Home Automation and Cryptography Expert on DDoS Attack: Don’t Blame IoT
As KrebsOnSecurity shows, it's not that difficult to find default user names and passwords for IP devices. Malware installed on certain Chinese-manufactured cameras and DVRs caused a DDoS attack, but Simple Control founder Will Price says don't indict the entire Internet of Things movement.

Julie Jacobson · October 24, 2016

The widespread Internet outage last week has been traced to the infection of some 500,000 IP cameras and DVRs made by a single company in China – Hangzhou Xiongmai Technology – that shipped devices with weak default passwords.

But don’t indict the entire category of smart-home devices and the Internet of Things, says Will Price, founder of the home automation developer Simple Control (Roomie Remote) and an expert cryptographer who co-founded PGP, the company behind the most widely used email encryption software in the world (ultimately acquired by Symantec).

“A popular meme is that this [DDoS attack] is related to the ‘Internet of Things,’ but that's just a marketing buzzword,” Price tells CE Pro. “Very specific network camera DVRs and camera firmware was involved in this particular attack. The budding Internet of Things has no more to do with this than the advent of the Internet caused Windows XP security problems. It is the vendors releasing products not properly secured that are at fault.”

In this case, a botnet scoured the Internet for easy targets, trying 68 combinations of user names and passwords, such as “admin” and “12345,” depositing “Mirai” malware on vulnerable devices and then commanding the devices to flood the Web.

The hackers have released the source code used in the attack, so copycat crimes are inevitable.

Fortunately, the only damage from the attack seems to have been slow-running sites like Twitter, the ironic takedown of KrebsOnSecurity, and home automation systems like Wink that couldn’t connect.

“This is an infrastructure attack,” Price notes. “Regular users are not threatened by this.”

Even so, the disruption was a stark reminder to consumers that factory-set passwords need to be changed for all connected devices and a wake-up call to manufacturers to quit enabling hackable credentials.

How to Find Default Passwords: Online User Manuals

Security expert Brian Krebs of the eponymous site performed a quick online review of devices with pre-set usernames and passwords, simply by looking for the information in the manufacturers’ installation guides.

His list of potentially vulnerable devices include a Samsung Camera (admin/1111111), Ubiquiti AirOS Router (ubnt/ubnt), Axis IP cameras (root/pass), Panasonic printer (root/00000000) and numerous cameras and DVRs from Dahua, HiSilicon and others.

Price suggests, “Information on patching or even disconnecting vulnerable devices by specific models from the Internet needs to be more available – the equivalent of the airlines now announcing on every flight that Galaxy Note 7 devices are not allowed.”

Manufacturers should be publicly flogged for shipping smart devices with dumb defaults – or something like that.

“Vendors that continue to release products unpatched and vulnerable to these kinds of issues must be named and openly identified (usually end users have no idea this is even happening on their network) and for repeat offenders, shamed,” Price says.

Thwarting DDoS and other network attacks should be a national priority, he adds.

“DDoS is the primary attack mechanism in use today and defending against it requires needs nation-level oversight over routing and automatic DDoS detection and defense,” according to Price. “This infrastructure does not exist today so each of these events requires effectively a one-off solution.”

As it happens, the attack coincides with the U.S. government’s surrender of the Domain Name System (DNS) to an international body, ICANN. The target of the attack was Dyn, a major DNS provider.

“The U.S. is now in a much more precarious position than it was previously relative to DNS attacks,” Price says.

He warns that this most recent attack was just a practice run, like the test fire of a missile – “a warning that we need to get our infrastructure in place to defend in the future against significantly improved versions of this attack.”

In the meantime, change those usernames and passwords, people.



We're Looking for Your BEST Projects

Don’t miss your chance to enter to win a 2019 BEST Projects Award. We’ll be announcing winners at a special Gala event at CEDIA EXPO. We can’t wait to see what you’ve been up to this year! Enter your projects now.




  About the Author

Julie Jacobson is founding editor of CE Pro, the leading media brand for the home-technology channel. She has covered the smart-home industry since 1994, long before there was much of an Internet, let alone an Internet of things. Currently she studies, speaks, writes and rabble-rouses in the areas of home automation, security, networked A/V, wellness-related technology, biophilic design, and the business of home technology. Julie majored in Economics at the University of Michigan, spent a year abroad at Cambridge University, and earned an MBA from the University of Texas at Austin. She is a recipient of the annual CTA TechHome Leadership Award, and a CEDIA Fellows honoree. A washed-up Ultimate Frisbee player, Julie currently resides in San Antonio, Texas and sometimes St. Paul, Minn. Follow on Twitter: @juliejacobson Email Julie at julie.jacobson@emeraldexpo.com

Follow Julie on social media:
Twitter · LinkedIn · Google+

Julie also participates in these groups:
LinkedIn · Google+

View Julie Jacobson's complete profile.



  Article Topics


Networking & Cables · Networking · Security · News · Cybersecurity · IoT · Simple Control · Wink · All Topics
CE Pro Magazine

Read More Articles Like This… With A Free Subscription

CE Pro magazine is the resource you need to keep up-to-date on the latest products, techniques, designs and business practices. Subscribe today!

Subscribe Today!

Comments

Posted by davepedigo on October 25, 2016

The CEDIA Technology Advisory Council is the industry think-tank focused on emerging trends, opportunities and threats. As most know, there was a major DDoS attack last week which showed major vulnerabilities in current mass market IoT devices. We, the Technology Advisory Council, have had extensive discussions about how to address the issue and our official statement is found below. It should be noted that CEDIA is participating with the Consumer Technology Association and other organizations, including governmental bodies, to help figure out best practices for securing technology. If any are interested in participating, please feel free to contact me.

CEDIA Technology Council Update: DDoS Attack and What this Means for Our Industry
Last week, many areas of the United States felt the pain of a massive Distributed Denial of Service (DDoS) attack which took down a Domain Name Server (DNS) located in New Hampshire. The DNS Server is responsible for significant Internet traffic across the U.S. It is estimated that upwards of 500,000 IP enabled cameras and DVRs were infected with the Mirai DDoS hack, and utilized to take down the DNS server.

This DDoS attack demonstrates that internet security must be a priority at the consumer, technology professional, and manufacturer level. While the U.S. Government and some manufacturers are taking cybersecurity seriously, there is much work to be done to protect both the global internet infrastructure and users’ privacy. The question remains, how does the IoT experience continue its meteoric growth while mitigating potential threats?

For manufacturers, the challenge is to build product that does not sacrifice security for convenience. The ability to allow installation professionals to enter secure passwords, close unnecessary ports and, most critically, enable IP connected devices to be securely updated when their software has been compromised is essential.

For consumers, there are inherent vulnerabilities to having devices always connected to the internet. Hiring a professional to design, install, and maintain all products being used in a connected environment is a step in the right direction to helping secure both the internet and the building the products are being used in. Consumers should review the credentials of anyone installing internet connected devices in their building: This individual should hold professional certification(s) that prove their baseline knowledge.

For technology professionals, is critical to work with IoT/network device suppliers that take security seriously, and vet them to ensure they are implementing strong security practices. Technology professionals should educate clients on the risks/rewards of network enabled devices.
The internet of things is truly in the nascent stages of development, and so some will argue that these security issues are just growing pains and manufacturers and consumers will soon catch up. While it is true that we are at the beginning of the internet of things and the fourth industrial revolution, failing to address these issues now will stymie both adoption rates and innovation. This attack is a clear wake-up call. The time is now to take internet and device security seriously and face it head on for a more prosperous and secure future.

———————————————
Dave Pedigo, ESC-T, ESC-D
Vice President, Emerging Technologies
CEDIA
Indianapolis, IN
317-735-4052

Posted by davepedigo on October 25, 2016

The CEDIA Technology Advisory Council is the industry think-tank focused on emerging trends, opportunities and threats. As most know, there was a major DDoS attack last week which showed major vulnerabilities in current mass market IoT devices. We, the Technology Advisory Council, have had extensive discussions about how to address the issue and our official statement is found below. It should be noted that CEDIA is participating with the Consumer Technology Association and other organizations, including governmental bodies, to help figure out best practices for securing technology. If any are interested in participating, please feel free to contact me.

CEDIA Technology Council Update: DDoS Attack and What this Means for Our Industry
Last week, many areas of the United States felt the pain of a massive Distributed Denial of Service (DDoS) attack which took down a Domain Name Server (DNS) located in New Hampshire. The DNS Server is responsible for significant Internet traffic across the U.S. It is estimated that upwards of 500,000 IP enabled cameras and DVRs were infected with the Mirai DDoS hack, and utilized to take down the DNS server.

This DDoS attack demonstrates that internet security must be a priority at the consumer, technology professional, and manufacturer level. While the U.S. Government and some manufacturers are taking cybersecurity seriously, there is much work to be done to protect both the global internet infrastructure and users’ privacy. The question remains, how does the IoT experience continue its meteoric growth while mitigating potential threats?

For manufacturers, the challenge is to build product that does not sacrifice security for convenience. The ability to allow installation professionals to enter secure passwords, close unnecessary ports and, most critically, enable IP connected devices to be securely updated when their software has been compromised is essential.

For consumers, there are inherent vulnerabilities to having devices always connected to the internet. Hiring a professional to design, install, and maintain all products being used in a connected environment is a step in the right direction to helping secure both the internet and the building the products are being used in. Consumers should review the credentials of anyone installing internet connected devices in their building: This individual should hold professional certification(s) that prove their baseline knowledge.

For technology professionals, is critical to work with IoT/network device suppliers that take security seriously, and vet them to ensure they are implementing strong security practices. Technology professionals should educate clients on the risks/rewards of network enabled devices.
The internet of things is truly in the nascent stages of development, and so some will argue that these security issues are just growing pains and manufacturers and consumers will soon catch up. While it is true that we are at the beginning of the internet of things and the fourth industrial revolution, failing to address these issues now will stymie both adoption rates and innovation. This attack is a clear wake-up call. The time is now to take internet and device security seriously and face it head on for a more prosperous and secure future.

———————————————
Dave Pedigo, ESC-T, ESC-D
Vice President, Emerging Technologies
CEDIA
Indianapolis, IN
317-735-4052