Devices in people’s homes and offices that are connected to the internet — things such as routers and cameras, rice makers and thermostats — could increasingly be taken over by hackers in the coming weeks and used to suppress free speech and commit crime.
Cybersecurity experts have been issuing the warning since last week, when a piece of software involved in a major cyber-attack was publicly released for anyone to tap.
Days earlier, hackers used this so-called “Mirai malware” to identify hundreds of thousands of home and office devices that had weak security. The hackers then stitched those devices into a network that sent a blizzard of messages to Brian Krebs, shutting down the popular website he runs to expose cyber-crimes.
Experts are describing the attack as a threat to free speech, and it underscores that there’s a quickly emerging dark side to the widely dubbed Internet of Things — everyday devices that are connected to the web or to each other.
Consumers are being urged to change the passwords on their web-connected devices, which in some homes can entail 15 or more objects ranging from Amazon Alexa to a Mr. Coffee brewing machine. In some cases, rebooting the devices will disable the malware. But like a virus, a fresh attack is likely to occur again.
Many of these household devices have little or no security shield.
“Five years ago, most people couldn’t easily access the security cameras in their own homes or use the internet to turn off lights throughout the house,” said Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “But now, these things are easy-to-use, mass-market devices, and hackers are using them as a steppingstone to launch attacks.”
The vulnerability is especially challenging because today’s modern household contains a growing number of internet-connected gadgets.
Hackers have existed since the advent of computers, but the Internet of Things is comparatively new. It began gaining broad public attention in 2008, when the number of web-connected devices surpassed the number of people on Earth.
Reliable figures are hard to come by. But analysts estimate that there are 23 billion such devices worldwide today — and that the figure could hit 50 billion in 2020.
The devices include home security cameras, routers, DVRs, doorbell and window lock systems, refrigerators, toasters, espresso machines, electronic picture frames, humidifiers, baby and pet monitors, motion detectors, lawnmowers, pet collars, night lights, aquarium monitors and a variety of toys.
“If I want my garage door to be accessible on my smartphone (in case my wife leaves it open by accident), I need to be willing to accept the risk of a criminal hacker taking it over,” said Lance Larson, assistant director of the graduate program in homeland security at San Diego State University.
Hackers are increasingly releasing malware such as Mirai onto the internet, where it searches for web-connected devices that have poor or nonexistent security measures. Once Mirai infects those machines, the hackers can combine them into a network, or botnet, that collectively sends a massive volume of traffic to a targeted website, disrupting or shutting it down. The technique is called a distributed denial of service, or DDoS.
In addition, hackers can use a DDoS to attempt to extort money from businesses and people, or to disrupt their sites for political reasons. The presidential campaigns of Hillary Clinton and Donald Trump have both been hit by this type of sabotage.
“Internet of Things devices, in general, are the perfect platform for attackers to issue DDoS attacks,” said Mordechai Guri, chief science officer for the cybersecurity startup Morphisec in Newton, Mass.
“Most of the time they remain idle, hence they can be easily abused for DDoS purposes. Secondly, (these) devices, due to their diversity and complexity, have almost no in-device security products installed (e.g., anti-virus). Consequentially, attackers can easily spread their malicious bot … without being detected for a long time.
“Third, they are prevalent, so botnets on (web-connected) devices in the future may consist of millions of bots to address. Finally, such an attack is difficult to mitigate … . Unlike ordinary PCs, removal of malware from Internet of Things devices is a challenging issue in itself.”
There’s yet another related threat, one that hasn’t been getting much attention. It involves profiling people.
“Anyone with access to a fully connected home can build a detailed profile about the occupants,” said Alfred Chung, senior product manager at Guidance Software in Pasadena, Calif.
“They can gather data about the time of day when the home is occupied, the number of people inside the home at various times, personal details like age, appearance and gender of those living in the home … . With connected appliances, they can even tell what food occupants store in their fridge.”
The nature of the problem was exposed by the attack on cybersecurity authority Krebs, an incident that caught the attention of Craig Spiezle, executive director of the Online Trust Alliance in Bellevue, Wash.
Referring to Krebs’ troubles, Spiezle said in a statement that it underscored the threat to the overall public: “In this increasingly complex world of connected devices, consumers cannot take it for granted that their devices remain safe, secure and private year after year.
“As people acquire more devices, the long term risks to their family and community rise exponentially.”