The Zombie Army of the Internet of Things

By Laura Haight

The cyberattack that took down Netflix, Twitter, PayPal and dozens of other major websites two weeks ago was a vanguard, not a fluke. Attacks carried out by “botnets,” an army of unwitting devices that have been hacked and utilized as pawns to take down a high-value target, are one of the most common forms of cyberattack.

Until this year, distributed denial of service (DDoS) attacks used infected computers. The targets are often large businesses or agencies. But the explosion of Internet-connected devices has fueled both a significant increase in attacks and the strength of the attacks.

Their goal is disruption: Sometimes they want to take down the cyber defenses of a large organization — often to knock out a competitor — and sometimes it’s just because they can or they want to learn if they can. Sometimes, as in last month’s very attack affecting services in two-thirds of the U.S., they’re just irritating. The world won’t come to an end because Twitter is down. At least, I don’t think so. But they could be crippling. What would happen if all Internet communications were down for a day?

Thinking bigger is possible today thanks to the internet of things (IoT), a potential zombie army of 10 to 12 billion devices that analysts suggest could grow to between 24 and 50 billion as early as 2020.

How do cyberterrorists conscript these zombies? By feeding malware into your internet-connected fridge, home security system, light switch, DVR and webcam. Sure, they look harmless, but in fact more than 185 million devices may be vulnerable or already compromised. Hackers are taking full advantage of the convergence of our desire to have new, cool “stuff” and our aversion to actually understanding how that stuff works.

Manufacturers know that we aren’t going to want a lot of work to set up and manage our new tech. So they hard-code logins and passwords, use easy setups via vulnerable functions like plug-and-play and don’t update their software much. In some cases, researchers believe, manufacturers are inexperienced with security and unaware of the risks their products may be prone to.

The problems are complicated by the fact that most of us at home — and even in small businesses — have little knowledge about how each piece of our tech connects to the others, or how they communicate internally and with the rest of the world, via Wi-Fi.

The risks of such vulnerable devices can hit much closer to home as well. Once a hacker can control a device, there’s no telling what they will choose to do with it. Ethical hackers have demonstrated they can hack door locks, take control of a Jeep Grand Cherokee and even change the settings on medical devices that deliver medication and are controlled by centralized web interfaces.

How can you protect yourself at home or at your business?

Check to see how exposed your network and your devices are. BullGuard, a security company based in the UK, has developed an IoT scanner that checks to see if your network or devices are publicly available on Shodan. (Shodan is to IoT devices as Google is to websites.) 

If a scan doesn’t find anything, that’s good, but not a guarantee. For most of us, the biggest vulnerability is the Wi-Fi router, the command-and-control of the network. The router’s role as gatekeeper is a bit disturbing since many of the top brands in the industry have serious vulnerabilities right out of the box. At the end of 2015, a security research firm hired by the Wall Street Journal tested 20 of the most popular routers on the market and found vulnerabilities in the majority, including outdated security software and unpatched vulnerabilities, some of which were as much as 10 years old. (Check yours here)

Small businesses operating on tight budgets often use residential routers rather than commercial models. The latter are more expensive, yes, but they also have much better security and management features that a business — especially one that takes credit cards or has sensitive information about clients or customers — should deploy.

Another serious risk is the use of default passwords. The vast majority of users never change the default login info on their routers, making it easy for any hacker to gain access to and control of your network and all connected devices. Do two things right now that will vastly improve your security. First, change the password on your router to a passphrase or strong 10-character password (you can write it down and stick it on the device, if you want, unless it’s a business). While you’re there, uncheck the box that says “Broadcast SSID.” The SSID is the network-friendly name. If you don’t broadcast it, hackers can’t see you. And for the most part, hackers can’t hack what they can’t see. For you, it’s a modest inconvenience requiring you to enter the network name to connect new devices. No biggie.

These are definitely important steps you can take for your overall security, but control is not completely in our hands. We are at the mercy of manufacturers as well. One security researcher strongly suggests not purchasing any IoT device that will not allow you to change the login and password. That’s probably a good idea, but also unrealistic. I say this: Weigh the advantage of the device against the risk of exposing your personal security or becoming a pawn in a cyberattack. Is your life made exponentially better by having a refrigerator that can tweet you when you’re running out of milk or an app that will check to see if the dryer load is finished?

The internet of things has vast potential. The internet of stupid things, however, is just another fridge ruining it for the rest of us.