An unassuming, internet-connected toaster is sitting on a kitchen counter when it is assaulted, over and over, with “root” and “xc3511” login credentials. The toaster, however, isn’t real – it’s a honeypot living on a virtual server hosted by Amazon, tracking each attempt to hack it.
The experiment was set up by The Atlantic’s Andrew McGill, which saw the first attack just 41 minutes after going live, and more than 300 IP addresses tried to gain access by the end of the day – which works out to about 27 attacks per hour. The attacks were likely made automatically by Mirai, the malware that was at the heart of the mid-October distributed denial of service attack on Dyn, targeting DNS servers – the “phone book” of the internet translating text URLs to IP addresses – and slowing or blocking access to major websites including Paypal, Twitter, Spotify, Reddit, and Netflix. The open-source malware can be set to automatically scan the internet, specifically for Internet of Things devices, to hack. With estimates of 28 to 30 billion connected devices by 2020, the danger will only increase.
Before getting into what hackers could use exploited IoT devices for, it’s important to see how they were hacked. The October DDoS attack was the first major, widespread attack to utilize IoT devices, and many were webcams and CCTV cameras. The connection is the chip set used in the cameras, made by Chinese manufacturer Hangzhou Xiongmai Technology Co., or XM. These are sold to camera manufacturers. In the aftermath of the attack, the company is recalling millions of devices, but suspects only about 10,000 are vulnerable.
The cameras were made up to 2014. Those with firmware from 2015 and beyond should not be affected by Mirai. The recall only affects a fraction of the 17.6 billion devices currently in use, but consider only about 0.000026 percent of IoT devices were used in the October hack.
The problem, security analyst Brian Krebs noted, was that the password, “xc3511,” that all the XM devices use by default, is hardcoded into the firmware. Even if the user changes the password, the default password will still work.
Security analyst Ben Dickson wrote that “one of the fundamental problems with IoT security is that the developers often come from an unconnected background, such as embedded systems, which means they have the knowhow to provide functionality but aren’t versed in the principles to write secure code for connected environments.” He also noted that security is neglected in the face of costs and deadlines.
Much like the poor virtual toaster, that’s how some 460,000 IoT devices were used in the DDoS attack. But it wasn’t just cameras – devices ranging from thermostats to DVRs were used in the massive attack. It wasn’t the first attack using IoT cameras, either. In late September, about 150,000 cameras and digital recorders were used to attack OVH.com, French entrepreneur Octave Klaba’s website. He took to Twitter, noting that at one point, his site was hit with nearly 1 terabyte of information per second – at only a quarter of what was used against Dyn.
In 2013, it took a server just 44 minutes to scan every IP address on the internet. Now, Mirai users are only scanning IP addresses associated with IoT devices to create botnets for DDoS attacks – or other sinister deeds.
Stampado, a budget-friendly piece of ransomware at only $39, is being sold in the dark corners of the internet. The software locks files on a computer, giving the owner 96 hours to pay up. After the time limit is up, it deletes random files every 6 hours. For comparison, Locky, which shut down hospitals by locking out patient records, goes for about $3,000.
Imagine if a hacker, using cheap software, scanned the internet, found your IoT thermostat, turned the heat up to unbearable temperatures in the middle of summer, and demanded payment to unlock the device. Or worse, you are on vacation and the same scenario happens. Pay up, or be saddled with a high energy bill and melted personal items all over the house.
Not scary enough? Hackers have already proven they can remotely hack internet-enabled cars. What if the autopilot feature of a Tesla was hacked, the doors locked, and you are driven to the middle of the desert? While only 2 percent of cars were connected to the internet in 2012, and 10 percent the next year, Spanish company Telefonica estimated in 2013 that about 90 percent would be connected in 2020.
Hacking doesn’t happen in a vacuum. When exploits are found they are often closed. Tesla quickly closed an exploit after hackers released a how-to guide – probably preventing the above scenario from happening in the first place.
Meanwhile, Microsoft is adding Bitlocker and Secure Boot to Windows 10 IoT Core. The change is mostly aimed at DIYers and home hackers, with Windows 10 IoT offered as a bundle with a Raspberry Pi 2 microcomputer. Learning to code for the IoT can give you more control over your device, also increasing security. Securing your router will also turn away the vast majority of automated hacking attempts.
Finally, IBM is experimenting with blockchains to track important items. A current application is tracking where a diamond came from – suppliers can then deny the diamonds if they are from an area that uses forced labor to mine diamonds, or if the sales fund violence. This could be used by manufacturers to monitor where parts in devices come from, to identify potential weak spots in security – and prevent hacking even before the consumer buys the product. If a blockchain was in place, it could have been used to track the pre-2015 XM chipsets, to identify exactly which cameras they were used in, and aid the manufacturer in a recall. Or, a company could decide not to use the chipset, based on its point of origin. The technology is secure – it’s used to track bitcoins – and extremely hard to alter or delete information after it is added by a trusted source.
The IoT is growing fast, and security is trying to catch up. According to Maryville University, cyber attacks cost upwards of $400 billion each year. There is potential for great harm through ransomware, or even shutting down the internet for a wide swath of users. There are bound to be more attacks before security catches up – but securing your network will go a long way to protecting your toaster.