Last Friday (21st October 2016) millions of innocent people launched a massive attack on a key internet server. The cyber-attack on Dyn, also known as DynDNS, brought trouble to many major sites including Amazon, Twitter, Netflix and Spotify. Of course none of the people who helped were ever aware of their involvement. Simple devices they had purchased and allowed in to their homes were now been used to cause mayhem. In the past they may have been used for blackmail or extortion. All the while happily performing the function they had been bought to provide.
Internet of Things
The rise of internet enabled smart devices has created a huge security headache for the rest of the internet. These devices are normally just switched on and plugged in, with no concern given to how they work and who might be able to use them.
We expect security
This is simply because most people don’t know how they work, or care, or want to know. They assume, not unrealistically, that the manufacturer has a much better understanding of the technology, protocols, and threats, so are best placed to prevent them in the first place.
There is no security
Unfortunately this just doesn’t happen. While we all expect someone else to protect us, we also expect our devices to cost essentially nothing. The result is hardware that has not been, and never will be, secured.
Cheap devices are not secure
A lot of the devices used in this attack seem to have been digital video recorders and internet connected video cameras of the type used in home security. The most interesting fact to arise so far, is that most of the affected products were based around microchips made by one company. It is fairly common for a few key manufactures to supply chipsets to multiple product makers, so that competing devices actually use the same guts inside. They can still be differences in implementation and software, so it’s not just a big scam in case you were worried. The chips made by XiongMai are very very cheap, and if you want a home security system with a recorder and four cameras for sixty quid, then you can be assured the components are the cheapest available.
Anyone can access them
Because the devices are plugged in and forgotten, they will have the default password on them, so anyone can access the device, in principle.
Broadband firewall is useless
Of course your internet provider supplies a router, with a firewall, which they say keeps nasty things outside your network. So as long as you have your Virgin, or Sky, BT, or whatever firewall/router plugged in then everything will be fine? Nope. You see this plug it in and it works convenience extends to our security devices, which is just a bit mad.
Universal Plug and Play
There is a thing called uPNP which stands for Universal Plug and Play. The idea behind it is that your firewall starts out blocking everything, but certain devices can ask it to open access for them, automatically. uPNP trusts everything inside your network without exception. The assumption is you won’t plug any untrustworthy equipment in.
The video camera you bought so you can watch your cat while in the office, or the DVR that lets you tell it to record shows while you’re out, or smart thermostats that allows you to turn on the heating on the train home, have to be able to talk to the outside world.
Security costs money
There are two ways to achieve this. The device can talk to a central server, and your office PC, or phone, talks to the same server, and it keeps things secure. The device in your home regularly asks the server if any new instructions have been given, and that way no connection in to your home is ever needed. Alternately, the connection can be direct from your phone to your smart fridge, and absolutely anyone in the world can now connect. Not having a server is cheaper, and so lots of devices are designed to use uPNP instead.
Anyone can watch
There are a few sites that list thousands of privately owned home security cams that are sending video out to anyone who wants to watch.
Turn off uPNP
Check your broadband router, and make sure that uPNP is turned off. I always turn it off by default. Anything that needs to see the internet still can, but the internet can’t talk back, which is much much safer. If a remote connection is required then it could still be manually configured.
A quick Google will show you the default password for pretty much everything you own, so make sure you change the password on any devices you let in to your home, if you can. Some cheap devices don’t let you which is unforgivable.