According to a recent article, cyber attacks against IoT devices are up... big time. Recently a client of one of our customers with a professionally installed and supported smart-home automation system began experiencing regular Internet outages before receiving an email from their ISP stating the following;
Subject: IMPORTANT INFORMATION FROM TIME WARNER CABLE
Time Warner Cable has been notified of a security-related issue with your Internet service.
We have been advised by a trusted source that a number of our customers are using network devices that have recently been exploited by malicious parties to engage in attacks on major Internet entities. These attacks caused significant problems for a number of websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.
A network device connected to your Internet connection has been identified as having been exploited, and we are asking that you take urgent action to secure it and prevent further impact to the Internet. This security issue can interrupt or slow down your Internet service availability.
Devices commonly found to have been targeted include (but are not limited to) security and video surveillance equipment such as closed-circuit TV cameras and associated video devices.
The majority of these impacted devices include:
• Dahua Technology security camera equipment with a firmware version from 2014 or earlier
• Sierra Wireless AirLink devices
PLEASE TAKE ACTION TO SECURE YOU DEVICE(S).
For Dahua Technology devices, the manufacturer recommends ensuring that you have an updated firmware (2015 or later) version. Then reset the password for the device and reboot it. Contact your vendor for assistance if needed.
For Sierra Wireless devices, please see https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01 for information and instructions.
Please be advised that Time Warner Cable’s Acceptable Use Policies explicitly prohibit actions, whether intentional or unintentional, that disrupt TWC’s network. These policies are available on https://help.twcable.com/twc_misp_aup.html for your convenience.
Repeated events and/or complaints pertaining to this network abuse issue may result in an interruption of your service.
If you have any questions, please contact the Enterprise Risk Operations Center at 1-855-222-7342, Monday through Sunday, 8 AM – 11 PM (EST).
As scary as an email like this is to recieve, it only tells half the story of what is going on. The ISP only knows of the compromised devices that have been used in an attack. the remaining threat to the end user is not from the devices identified by the ISP's "trusted source", but rather all of the potentially hacked devices remaining on this network.
These devices will silently watch the network, gathering information on traffic and possibly spreading to other devices. Occasionally some of them may be activated to join in massive distributed denial of service (DDOS) attacks such as the ones identified in the letter. But they may not, they may just surveil the network traffic indefinitely, gathering data to be used at a later date and further entrenching their position on the network.
Pop Quiz: how do you identify a compromised appliance on a network such as a TV, camera, refrigerator, printer, etc.
Answer: you don't (unless it is activated in an attack)
So what kind of IoT "things" can be hacked on a smart network? Here is an incomplete list of devices that have been hacked in the past.
- tablets and phablets
- home computer locks
- the cloud (services, storage, software)
- ATMs at banks
- GPS devices
- Wi-Fi routers
- thumb and portable USB drives
- hotel and gym safes (they tend to use a single default passcode)
- cable box or DVR
- voice mail (especially those with a global call-in number that doesn’t lock out after successive failed attempts—we saw this with the News of the World scandal)
- power strips (can be infected with malware)
- power cords for your devices (code can be implanted)
- luggage trackers (such as the Trakdot)
- connected glasses (Google Glass, Oculus Rift. As of now, Google’s QR barcodes for Wi-Fi store the full access point name and password as plain text)
- gaming consoles: PS3, Kinect, Nintendo
- refrigerators (such as Samsung)
- cars with computer operating systems
- smart pens (like the Livescribe)
- gesture control devices (such as the Leap)
- SD cards
- smart doorbells
- smart alarm clocks
- coffee makers
- key fobs
- light switches
- moisture sensors
- kitchen and pantry trackers (such as Egg Minder)
- insurance driving monitors, such as Progressive’s Snapshot device
- traffic lights (MIRT transmitters can change lights to green in two to three seconds)
- highway signs that spell out text
As you can see, the IoT threat is enormous and growing larger by the day. A typical router/firewall acts like a solid front door in your home, it only keeps the honest people out. Any burglar with his or her salt will find and use an alternate entry point which is why we all use monitored alarm systems to protect our homes. So how do you protect yourself?
Deploying a commercial grade intrusion detection/protection (IDS/IPS) system such as the FIREFX Network Guardian with VLAN traffic separation will actively monitor traffic, shutting down and isolating malicious traffic as soon as it is identified. The Network Guardian updates threat profiles twice daily to help protect your network and devices against emerging threats and zero-day hacks. It acts as the digital equivalent to your home security system and service.
The only way to ensure your network is 100% safe is to disconnect from the Internet. The next best thing you can do is deploy a Network Guardian.