Hackers are running your smart home

From the January 25th AskWoody Plus Newsletter

By Brian Livingston

I never thought it would get this bad. But it has.

There are now more Internet of Things (IoT) devices than there are people on the planet. And the vast majority of those IoT gadgets are wide open, easily taken over by malicious hackers and used against you, your community, and the world.

Almost half of all technology managers have let IoT gizmos — printers, HVAC systems, protocol gateways, etc. — into their corporate networks without changing the default passwords, according to a ForeScout survey.

Consumers have done even less to protect themselves. Many people have never changed a password on their doorbells, cameras, outlet adapters, or any other “smart home” doohickeys.

Among the people who have changed a default, according to Symantec’s 1Q2020 trend review, the password they most commonly enter is 123456.

That’s now the first password hackers try. How do we know this? IoT devices often use Telnet, a 1969 protocol that’s easy for anyone to snoop, because nodes transmit in plain text (no encryption). We can see that Telnet scans are happening, but they’re hard to stop.

This situation isn’t new. It’s been written about for years — but the problem isn’t getting better. It’s getting worse.

Fortunately, there’s hope. New regulations are supposed to rein “things” in. But until these laws take full effect, we’ll all have to take the steps shown below to keep our devices from being used against us. Read on.Someone is probably enjoying your devices right now

Home Hack
Figure 1. Researchers found that the camera on a popular robot vacuum could be controlled by hackers to observe the inside of people’s homes. Source: Video by Check Point Software Technologies

An IoT device is anything that connects to the Internet but isn’t something we usually think of as a “computer” — such as a server, desktop PC, laptop, tablet, phone, etc. Consumer gadgets include “smart” light bulbs, speakers, appliances, security systems, and many others. Corporations extensively use IoT gizmos in life-and-death healthcare, transportation, and industrial environments.

You may think this doesn’t affect you. Of course not! You’d be the last to know.

Trustworthy researchers at Check Point Software Technologies recently announced they’d discovered a way to remotely log onto the LG SmartThinQ robot vacuum cleaner. Once in control, the attackers could use the vacuum’s onboard camera to look around inside your home.

Hackers aren’t going to tell you that they know when you’re home and when you aren’t.Forget smart homes — let’s crash the Internet

Every IoT device contains some kind of CPU. By controlling that digital brain, hackers can infect other devices on your network, introduce malware into your computers, and launch denial-of-service attacks on machines anywhere in the world.

Webcams, appliances, routers, and other “smart” devices can be reprogrammed as tireless soldiers in bot armies. Hackers can order millions of individual CPUs such as these to crush almost any Internet server with gigabytes of bogus traffic.

One of the biggest attacks reportedly used 1.2 million IoT devices to make numerous websites unavailable, including Twitter, Reddit, Spotify, Github, Box, Playstation Network, and The New York Times. The so-called Mirai botnet on October 21, 2016, targeted nameservers in the eastern United States run by Dyn, a major DNS management service. The websites were knocked totally off the Web for several hours, according to a report by security analyst Brian Krebs.

What sophisticated algorithm did the creator of Mirai use to gain control of more than a million “smart” devices? None. The software simply scanned the Internet and tried 61 username-password combos that IoT gadgets are widely known to be shipped with. Gotcha!

In October 2018, one of Mirai’s coders was fined $8.6 million and confined to house arrest. But he had already released the Mirai source code publicly — possibly to make it harder for authorities to pinpoint the original author, Krebs says. Now that the tools are downloadable with a click, it’s just a matter of time before an even larger Mirai-style attack knocks offline a huge swath of the Internet that you depend on.‘Click here to kill everybody’

The good news is that after allowing 20 billion easily hackable things to be connected to the Internet (Gartner estimate), governments are finally starting to require at least some security to head off the nightmare scenario.

California and Oregon, soon followed by the US government, passed laws to require better security in IoT devices (as described by law firm Ropes & Gray). For example, California’s law — which took effect on January 1, 2021 — says IoT devices must require users to enter a new password or the maker must enter a unique password into each device before it leaves the factory.

If anyone understands the severe threat of hacked IoT gadgets, it’s security expert and Harvard Kennedy School fellow Bruce Schneier. His latest hardcover book is titled Click Here to Kill Everybody. He’s only slightly exaggerating.

In a telephone interview, Schneier stated: “We’ve seen hacked thermostats. We’ve seen hacked cars. We’ve seen hacks of pacemakers that could kill people.”

One of Schneier’s biggest worries is a bot attack on a power grid, whose command-and-control mechanism is reliant on Internet connectivity.

Could a bot attack take down the power grid of an entire state? “This is trivial stuff to do. It could be one state, it could be more than one state,” Schneier says.

If you don’t like being deprived of Internet access for a while, imagine how bad you’ll feel when you have no electrical power at all.

Schneier thinks all new IoT devices will someday comply with laws like California’s. Manufacturers don’t like to sell two differing versions of everything. “But orphan devices are going to be a big problem,” he says. Makers may simply quit the market, leaving existing devices with no technical support and no firmware patches.Can you do three things in the next seven days?

To avoid the end of civilization as we know it, we need to protect ourselves — and our communities — from the threat of the IoT gizmos we already own. New Year’s resolutions don’t work. So let’s just say we all need to do the following three things this week, and then get everyone we know to do likewise:

  1. Change the weak passwords in your devices to strong passphrases. A phrase of two or three words — including uppercase letters, numerals, and symbols — will make it much harder for hackers to gain control of your devices. Enable two-factor authentication if your device supports it. If so, it should call or text you before allowing logins. Examine your phone’s app or download a PDF manual from the maker’s website for instructions.
  2. Turn on auto-patching, if your device can do it. If it can’t, set a calendar reminder to prompt you to check for device patches every few months. (The more often, the better.)
  3. Place your IoT devices and computers on two different networks. There’s an easy way and a less-easy way to do this. You can use the easy way if you have a modem or gateway that connects to your ISP and you have a separate Wi-Fi standalone or mesh router, as described in my Jan. 11 article. (See Figure 2.)

An ISP gateway and a Wi-Fi router can act like two different networks

Two different networks
Figure 2. Using two different routers can keep a compromised IoT device from infecting your computers. Illustrations by Golden Sikorka and Ohmega1982/Shutterstock

For Internet access, you or your company might use a gateway (a combination modem and router) provided by your ISP. But to get stronger Wi-Fi coverage, you might have added a mesh router with multiple nodes.

In that case, you can connect your IoT devices to the ISP gateway, which we’ll call Network #1. A gadget can connect to Network #1 using either an Ethernet cable or one of the two Wi-Fi frequencies: 2.4GHz and 5GHz.

Your more-valuable desktop PCs, laptops, tablets, etc., can be connected to the mesh router, which we’ll call Network #2. This way, the IoT devices cannot “see” the computers, and vice versa. There’s less chance that a hacker could compromise a “thing” and use the network to infect your computers.

When you need to communicate with an IoT device using an app on your phone, you’ll need to connect your phone to the appropriate router’s Wi-Fi signal (using either frequency). After you configure your gizmo, disconnect your phone from the router that the IoT devices are using.

I have a similar setup like this in my home. My smart TV, Chromecast 2020 streaming-media stick, and AV receiver are hard wired to an ISP gateway (Network #1) via in-wall Ethernet cables. My desktop PC, laptops, and tablets connect to a mesh router (Network #2) via Ethernet and Wi-Fi.

If a hacker somehow manages to enlist my TV’s CPU to attack my state’s power grid, at least the TV can’t also infect my PCs and laptops with ransomware, offers from Nigerian oil ministers, or heaven knows what else.What if you have only one Wi-Fi router?

Many people have only one Wi-Fi router — perhaps their ISP gateway. Alternatively, you might have a Wi-Fi router plus an ISP cable modem that features no extra Ethernet ports or Wi-Fi.

In that case, you can simulate two different networks on just one router by creating a “guest” network or a virtual LAN (VLAN). Those alternatives are the less-easy ways to separate your IoT devices and your computers. These methods require a few more steps, which I’ll cover in next week’s column.

Do you know a secret that we all should know? Tell me about it! I’ll keep your identity totally confidential or give you credit as you prefer. Send your story via the Public Defender tips page.
Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of eleven Windows Secrets books, and author of the new book Muscular Portfolios. Get his free monthly newsletter.

Want to see more like this? Sign up for the Plus newsletter at AskWoody.com