Children playing in a middle school gym in Indonesia; a man getting ready for bed in a Moscow apartment; an Australian family coming and going from their garage; and a woman feeding her cat in Japan.
All of these were live on the internet on Friday to anyone who knew the right address, through cameras with little or no security, whose owners probably don’t realize they’re broadcasting every second online.
The rise of the “internet of things” (IOT) — a vague term covering anything which connects to the internet that you usually wouldn’t expect to — has flooded households and businesses across the world with poorly secured devices easily accessible online, from webcams and printers to “smart” fridges and speakers.
Experts have been sounding the alarm for years, with little progress. So this month, Japan will take the radical step of hacking its own citizens to try to alert them to the risks posed by their internet-enabled devices.
Government hacking
Beginning on February 20, Japanese officials will start probing 200 million IP addresses linked to the country, sniffing out devices with poor or little security.
A law was passed last year to enable the mass hack, as part of security preparations ahead of the Tokyo 2020 Olympics.
According to the Ministry of Internal Affairs and Communications (MIAC), two-thirds of cyber attacks in Japan in 2016 targeted IOT devices. Officials fear some kind of IOT-related attack could be used to target or disrupt the Olympics.
As well as testing which servers have no security, the Japanese team will also test 100 common username and password combinations, such as “admin/admin” or “1234,” the MIAC said in a statement.
Michael Gazeley, director of Hong Kong-based security firm Network Box, warned that while the intentions of the test were good, it could potentially backfire on users, by creating an easy attack vector for hackers.
“The public at large is going to have to be extra vigilant,” he said. “How easy would it be to send someone (everyone) a phishing email, claiming to be from the government, saying, ‘Your IOT devices failed our testing, please click on this link to get updated,’ resulting in a huge number of successful hacks?”
Global issue
While Japan may be on higher alert than other countries due to the approaching Olympics, the problem its government is trying to tackle is a global one.
Research firm Gartner estimates there will be 20.4 billion IOT devices online by 2020, up from around 11 billion in 2018.
Everything from light bulbs to bird feeders increasingly has wireless connectivity, and many devices can be accessed from anywhere over the internet, because if we can’t turn on the lights five minutes before we arrive home, are we even living in the future?
However, many of these devices have little to no security, especially at the lower end of the price spectrum.
“The problem is that there is no monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure,” Bruce Schneier, a security expert and author of Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, wrote for CNN last year.
“Consumers will buy products without proper security features, unaware that their information is vulnerable. And current liability laws make it hard to hold companies accountable for shoddy software security.”
Insecure devices pose a variety of threats. The most obvious, and perhaps most alarming, is privacy. Using Shodan, a search engine for IOT devices, CNN accessed a variety of camera feeds being broadcast online.
The Moscow apartment feed showed a man opening a fold-out couch and undressing to go to bed, seemingly unaware he could be watched through the camera across the room. At the house in Perth, the webcam server contained weeks’ worth of recordings, showing the family’s daily comings and goings.
At another IP address, which appeared to belong to a family home, CNN was able to access the internet router using a default username and password combination, seeing all the devices connected to it, as well as the Wi-Fi password.
Had anyone wanted to, they could have reset the router and locked everyone out, or attempted to brick the device by installing a faulty update. The owners would probably have never realized they were being attacked over the internet.
But the true risk of insecure IOT devices is not that they will be used to attack their owners, but rather that they will be co-opted for massive online attacks, as happened in 2016.
Network down
For years, hackers have used so-called “botnets” — collections of compromised devices — to send spam emails, steal data and carry out distributed denial of service (DDoS) attacks.
DDoS attacks are used to force websites offline by flooding them with traffic and overwhelming their servers with requests. Traditionally, DDoS botnets were made up of hundreds of compromised computers — the hackers would run scripts in the background to load a target website over and over without the device owner’s knowledge.
Building a large network of hacked computers can be difficult, however, as operating system, email and general user security improves. By comparison, IOT devices, with little to no security and owners who may not even realize what their devices are capable of doing, are the perfect target.
In late 2016, the Mirai botnet launched what was then the largest ever DDoS attack, using a network of some 600,000 hacked IOT devices. The attack succeeded in knocking large portions of the US internet offline, including Netflix and Twitter.
Schneier and others have warned of future attacks following this pattern, as IOT devices become more and more widespread, and called for legislation to force manufacturers to improve security.
With manufacturers and supply chains spread across the world, however, this may prove easier said than done. If anything, Gazeley said, some device makers appear to be headed in the opposite direction.
“More and more (devices) are being made with no way to update the firmware, and also no way to change the default account or password settings,” he said.
“The internet of things has fast become the vulnerability of everything. If there’s ever a choice between convenience and security, it’s usually convenience that wins; especially in the world of consumer electronics.”
