- SBRC Ethical Hacker Peter looks at why smart technology might not always be the most secure.
The eerie sounds created by a Theremin are magic. Or at least, they were until Lev Sergeyevich Termen, its creator, realised that the sound was manipulated by the electromagnetic fields surrounding his hands as he waved them beside his strange invention, over 100 years ago in 1919.
Even more amazing, was the Theremins potential as a device for spying – it could detectthe emissions of nearby electronic components through solid matter.
From the Theremin came a long list of electronic instruments, and whilst the synthesiser would go on to become one of the “sounds of the future”, the Theremin had itself developed in more ways than one and had strolled down into a quiet life of being used to develop systems which could passively snoop on other devices.
And that’s where it begins
Stories of Soviet Agents parked in cars outside foreign governments, listening in with their Theremin-esque spying equipment and collecting information have circulated in the past. And, whilst all of this seemed science fiction in the 1960s, similar parallels can be found in the systems we use 60 years later in our modern world.
Nowadays the “agent” doesn’t even need to be physically near the building.
As you might have guessed, more creations and inventions have arisen since then. For example, the internet, inversely (as opposed to the Theremin) came around as a Military communications platform and then transformed into the most expansive network of devices we have ever seen – and it grows each day.
The ‘Internet of Things’
A significant portion of the internet as we know it nowadays is called the Internet of Things. Just like the seemingly humble Theremin 100 years ago, most of these simple and easy-to-use devices intended to help us in our everyday lives are manipulated through electromagnetic signals.
The Internet of Things (abbreviated as IoT), generally speaking, consists of any device or “Thing” with Internet connectivity. Moreover, the “Things” part has developed to include a broad collection of gadgets. Electronic components have been shrinking year after year and now you can find a chip capable of doing lots of different operations on a whole host of devices.
Take a look around your current environment. Let’s start with the basics, whatever device you may be reading this on, is very likely a part of the Internet of Things. Now look around, if you’re listening to music right now, is your speaker or are your headphones wireless? Do you drive a newer car? Can your phone or computer connect to it? Does your house have a smart-meter? Do you have funky-colour changing bulbs in your house? All these devices are connected to the Internet of Things. The list goes on and on, getting more bizarre with each addition. Household items from anywhere such as toothbrushes and children’s toys are now being hooked into the internet.
The downsides of endless connectivity
There are definitely benefits to connecting devices to the internet. There are everyday uses: you can turn the lights and heating on, shut the blinds and boil the kettle from the comfort of your car as you sit in the carpark before you go home from work. If you’re feeling ill, devices in the field of healthcare can feedback important health related information to your GP.
However, there are definite downsides. With so many devices going from the drawing-board to the marketplace and then into your hand or your home at a lightning pace, it’s often done so at the sacrifice of that device’s security. This is due to the associated costs of testing, as well as the difficulty associated with properly checking a device (and therefore the user), is safe from cyber-crime.
Exploits involving a simple flaw are responsible for some of the largest cyber-attacks, such as those conducted through the Mirai botnet (Mirai – Japanese for “Future”). Mirai was, and newer strands of the malware still are, notorious for freely and quickly infecting massive numbers of IoT devices with relative ease.
“But how?” You may ask…
Most of the IoT devices connected to the internet in 2016 (when Mirai conducted its first large attacks), were of the “plug-in and go” variety, i.e. the device was intended to be used straight out of the box. Whatever security configuration that existed had already been pre-configured – meaning very little user interaction from the victim/user.
The creators of Mirai knew this and were able to create a database prior to commencing an infection by loading Mirai with a large list of already known IoT device configurations. This list included the target IP range (therefore including subsequent valid address) as well as any associated commonly used ports and their default username and passwords. By targeting this range, then attempting connection on these ports with the default credentials, Mirai quickly established itself in millions of IoT devices.
Mirai’s method of dispersion meant once it infected one IoT device, it was possible to locate similar devices and branch out. Interestingly, Mirai also removed any other Malware it found on an infected system. There are two reasons for this: Mirai at this point was unknown to security systems, meaning if another strand of malware began executing its payload, it could be detected. The second was that the botnet worked most effectively when each of its components worked at full strength – whilst not falling prey to infection from other botnets.
Mirai grew so large and powerful that in 2016 it targeted OVH, a hosting tool for Minecraft servers that protected against DDOS attacks. Without this protection, these services could then be spammed with packets causing them to slow and shut down. When this occurred, the Malware’s authors posted the source code of the malware online, which allowed other cyber-criminals to launch their own Mirai infections, in an effort to anonymise the origin of the Botnet. Later that same year, Mirai was able to knock out internet services in the US East Coast and cause power outages. When the US Government discovered this, they seriously considered the possibility this was a full-scale cyber-attack from another country!
It is so easy to just buy, unbox and plug in a new device, you might stumble! It is therefore vitally important you take some precautions before hooking up your new internet enabled toilet and other devices(yes… they exist!).
Here are some things to consider:
- Buy from reputable brands! Make sure the device has a lot of good consumer reviews from legitimate sites.
- Go into your devices and turn off audio recording/access to a camera in your privacy settings. Make the device ask you if it or if you, yourself are sure you want to use them.
- Change anything used for authentication, like a preset pin or password. Make it unique and memorable. You wouldn’t believe the number of times an attacker has tried 0-0-0-0 as their first guess at a pin!
- Bought your device and now its behaving in a weird way? Contact the manufacturer, they’ll help you get back online.
- Make sure to turn an IoT device off if you are not using it, it could still be open and connected to the internet!
- Read the instructions! Follow the setup guide that came with the device and if it gives you the option to change the default username and password… do it!
We’ve also put together this short explainer video on home IoT which you can easily share. Watch it here
SBRC’s ethical hacking team can provide a series of cyber led presentations as part of our Professional Cyber Services. Click here to find out more.