‘Internet of Things’ security hack sparks webcam recall
Joined up thinking
The ‘Internet of Things’ fuses science fiction with fact, promising a joined-up world in which we can control our electronic appliances from afar. But it also seems we’re creating more opportunities for hardened hackers to launch attacks.
As a case in point, Chinese surveillance electronics firm Hangzhou Xiongmai Technology recently had to recall a batch of webcams after hackers exploited their security vulnerabilities, causing widespread outages across some high-profile websites.
The outages hit a variety of sites and services including Netflix, Spotify, Twitter, Airbnb and Reddit. Visitors found themselves confronted with loading screens or total outages after a ‘massive and sustained attack’ via video recorders, CCTV video cameras and other connected products, according to security researchers.
Looking for a way in
A sophisticated strain of malware – Mirai – was used in the attacks. It scans the internet for devices that haven’t changed their default passwords and usernames, before assuming control of the device and bombarding targets with junk traffic until they stop working. This army of infected devices – known as a botnet – attacked the servers of ubiquitous internet infrastructure provider Dyn which resulted in the outage.
It’s estimated that around 50,000 webcams were co-opted for the attack. The source code for the malicious software was posted on hacker site ‘Hackerforums’ last year, making it freely available for anyone looking to launch another similar attack.
Xiongmai denied suggestions that its webcams formed the bulk of devices used in the attacks, though it has promised to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.
The attack exploited the fact that devices like cameras, DVRs and other gadgets are less secure – and so more vulnerable – than PCs, making them prime targets for hijack. Many of these devices are difficult to update and some are hard-coded which means they can’t be changed.
Recalls and updates may well be successful but there will be plenty of unpatched devices available for unscrupulous hackers to exploit. Standards are being implemented with a view to improving security but meanwhile there are millions of insecure devices already installed and working.
Time to review your internet security? Maybe!
Bank of Cardiff is the nation’s premier small-business direct lender. Bank of Cardiff offers direct funding to small business owners, making working capital loans, small business lines of credit, equipment financing & equipment leasing to all 50 states.