The Internet of Things grew bigger than most of us expected and it’s continuing to grow at a really fast pace. Too darn fast. Rapidly advancing technology is a geek’s wet dream but something as pervasive as IoT which has digital communication as its core philosophy is missing one key ingredient – security. Every vendor has their own security framework, some are stringent while some are akin to a town crier who shouts out everything he hears. All vendors are quick to claim that their devices use encryption while communicating but not many are willing to divulge any details. Given that the more energy efficient IoT devices don’t have SoCs powerful enough to handle SHA-256 encryption, they resort to using weaker hashes like MD5. To reuse the previous analogy, this would be like the town crier who’d been gagged but allowed to write and display whatever he heard. MD5 hashes are so weak that you can look up their plain text counterparts on Google.
Towards mid-November, we saw the first ever massive IoT botnet takedown an ISP and multiple popular services like Netflix and Twitter with relative ease. It gets worse. The Mirai botnet, like all massive botnets in the past decade, has started to evolve. It’s finding newer ways to infect devices which till now were assumed to be relatively safe. This is where the creepiness begins.
One month after Mirai had struck, I was casually browsing and started to notice my mouse cursor slowly creep to the left. These things tend to happen every now and then, I wasn’t using a mouse pad with my G502 and it never needed one. I let go and observed it for a while, hoping that I could catch a little twitch on the cable that might have triggered the ghost movement. Nothing. I forgot about the incident but a few days later, it happened again… There’s a little thing about paranoia – the magnitude of irrationality varies from person to person. I prefer the term ‘cautious’ but the moment my mouse started moving on its own again, paranoia kicked in. It didn’t take long to hunt down the source of the ghost movements (it was my cat) but I discovered something else during my little security audit. My router could be accessed from anywhere on the internet.
The momentary relief I experienced when I’d zeroed in on the cat as the culprit completely vapourised the second I saw my router pop up on Shodan. I’m not going to mention the make or model (obviously). But it’s a well-documented issue with a really popular brand. With even the most recent firmware not addressing the issue, there wasn’t much I could do to quickly remedy the situation. While it was really cool to screw around with my own router remotely, you soon realise how helpless you are. I now have DD-WRT running with an additional script that activates periodically to issue a kill command to the HTTPd service, so the issue’s taken care of.
I discovered something else during my little security audit.
My router could be accessed from anywhere on the internet.
The ease with which someone could locate an exploitable router, find the exploit description and command line parameters via forums, and then proceed to take control, within hours can get anyone paranoid. Using Shodan anyone can locate unprotected IP cameras, webcams and proceed to view the feed. We hear Mark Zuckerberg tapes over his webcams for the same reason.
Security is pivotal for anything connected to the Internet but the lax attitude with which companies treat it is heartbreaking. Security researchers have been talking about IoT for ages but not much in the form of a unified framework has come forth. Even the router issue had been flagged for over 4 months yet nothing was done to patch the same. It’s only when the issue reaches mountainous proportions that governments and companies take action. So with that, I hope doom unto you all. I hope your nudes get captured via unsecured webcams and released on the internets. I hope that industrial secrets get leaked thanks to easily exploitable backdoors in IP cameras. I hope this issue affects enough of you for the authorities to accelerate work on a unified security framework, especially for the banking sector. As we move towards going cashless, it’s a lot better if your privacy gets compromised rather than your life savings.
This article was first published in the January 2017 issue of Digit magazine. To read Digit’s articles first, subscribe here or download the Digit app for Android and iOS. You could also buy Digit’s previous issues here.