Thirty minutes. That’s the time it took a team of researchers from Ben-Gurion University in Israel to access security cameras, baby monitors, doorbells, thermostats, and other internet-of-things, not-so-smart devices. It didn’t require any special hacking techniques. Anyone can do it.
The only tools you need are at least one finger–a nose will work too–to type the brand and model of whatever device you want to hack, and a connected web browser. Put that information into a Google search box and, within a few minutes, you will find a site or a forum post somewhere describing how to enter into that device using the manufacturer’s default administration user name and password. Any pedophile, thief, ex-spouse, or regular Peeping Tom can use this information to gain access to any of these devices installed in your home. A government or criminal organization can also use these user/password combos to control many devices at once, in order to mine data, spy, or launch global internet attacks.
The research was led by Yossi Oren, who is in charge of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. With his colleagues, he analyzed 16 popular high- and low-end IoT devices, using different reverse-engineering techniques that show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to it.
The team added those passwords to the list of codes in a laboratory version of Mirai–a famous botnet malware specifically created to enter and control hundreds of thousands of IoT devices for organized massive attacks. Then they demonstrated how easily you can infect devices of the same model at the same time.
The team also discovered that you don’t need to do all that hacking yourself: Hackers everywhere use the same processes as soon as they hit the market, then they share the password information publicly. Like them and within seconds, Oren and his team had full access to all of the devices’ hardware capabilities, so they “were able to play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.”
Oren and his team give some recommendations if you really must use these type of devices: Buy them from reputable vendors (are there any? We don’t know. The research team doesn’t make any recommendations, and we know that even high-end hardware has security holes), don’t buy them secondhand because they may already have malware installed, update firmware that patches security holes, and, perhaps the most important one, change the default password. This is, in the end, the way these researchers were able to get into all these devices.
Which brings us to a very basic question: Couldn’t this all be solved with a simple user experience design change? If the main security hole in thousands of millions of devices is the fact people leave the default user and password unchanged, couldn’t companies force buyers to set their own, making them create 16-character (or more) pass-phrases and full user names? It would only take one single screen at the beginning of the smart device’s setup process. People will not think this is weird. It’s just like when we create a user and a password the first time we turn on a new computer. Of course, changing the default user and password is not going to solve bad security architecture, like leaving backdoors open for remote administration or poor firewall design, but it will help with these more basic security breaches. It’s time companies take this kind of measure, even if they sacrifice convenience in the process. Short of that, we, as consumers, would be wise to consider this advice from the Ben-Gurion team: “Carefully consider the benefits and risks of connecting a device to the internet.” In other words: Don’t use this crap until all these companies fix it.