FEED Issue 12

63 FUTURE SHOCK IOT Security

n October 2016, the largest-ever internet denial-of-service attacks took place. The attack targeted systems operated by Domain

Name System provider Dyn and disrupted huge swathes of the internet in the US and Europe, including major websites and platforms like Amazon, Netflix and Twitter. The 2016 assault took the form of a distributed denial-of-service (DDOS) attack, launched from multiple IP addresses simultaneously. With the flood of traffic coming from multiple computers – sometimes hundreds or thousands – and exceeding a terabit per second, the victimised sites are unable to effectively defend themselves and are impossible to access, or go down altogether. The culprit was a botnet called Mirai. Mirai, however, wasn’t running on typical desktop computers. Its speciality is devices on the internet of things (IOT) – smart TVs, Wi-Fi access points, routers and IP cameras. Anyone involved in online streaming probably owns several of the devices on that list, and might even rely on those devices for their income. EMINENTLY HACKABLE Richard Stiennon is chief research analyst at IT-Harvest, an organisation he founded specifically to consult on IT security. He describes Mirai as ‘the very best example’. He adds: “It infected hundreds of thousands of CCTV cameras designed for monitoring children’s cribs and babies. Everyone was looking for Chinese or Russian causes or something like that.” But the real problem, he says, was simpler: “All those devices had default passwords.” It is now becoming possible for video equipment to be used in the same way. Cameras increasingly offer wireless links over 4G, 5G or Wi-Fi, proxy file upload, or full video-over-IP technology. There is currently no suggestion that any particular product might be insecure, but Stiennon betrays little confidence. “It’s a niche market, so there’s only going to be a hundred different cameras, each selling a few thousand copies. It won’t be a huge thing, but because it will

be so eminently hackable, the hackers will want to get into them.” Dhruv Mehrotra describes himself as a software developer who works on “increasingly political projects”, with an interest in security and network maintenance. Last year, he contributed data analysis to an investigation written by Kashmir Hill and Surya Mattu, and published on Gizmodo under the title “The House That Spied On Me” (bit. ly/HouseThatSpiedOnMe). Mehrotra’s analysis assessed data leakage from smart home devices. “It’s good to start with the assumption that by being on the network you’ve opened yourself up.” Something as simple as a control panel for the device’s settings might be a vector for attack. Often, control panels

are delivered as a web page, making the device a fully fledged web server, just as much as any other on the internet. “Even if it’s just serving up a web page,” Mehrotra continues, “via that, there’s password protection they could try to brute-force.” This means trying long lists of common passwords, an attack that can be mitigated by limiting the rate at which passwords can be tried. Sending data over a public network raises other concerns. Mehrotra again: “Cellphone networks are famously insecure. Using the cellphone network as a delivery vehicle for this content is a scary thing, especially if you’re in a country where the networks are operated by a government. I can tell you about our experience in Nicaragua where we operate a sort of DIY cellphone network. When there’s political instability the government wants us to stop access to Facebook, things like that.” SECURITY AND RIGHTS Exactly this sort of concern is key to organisations, such as Witness, which describes itself as “making it possible for anyone, anywhere to use video and technology to protect and defend

IT’S GOOD TO START WITH THE ASSUMPTION THAT BY BEING ON THE NETWORK YOU’VE OPENED YOURSELF UP

feedzine feed.zine feedmagazine.tv

Powered by