An Internet of Treacherous Things
A zombie network of home routers highlights the importance of prioritizing smart appliance security.
Within five years there may be 50 billion smart devices in homes and offices.
Plenty of science-fiction stories feature ordinary household appliances staging a revolt. In an episode of Futurama, toasters and home robots rise up against their human oppressors. Two trends are now starting to make such scenarios seem less far-fetched.
One is the wave of Internet of things devices being developed for homes—on full display at the CES trade show last week. The other is the increased hacking of home networking gear—as demonstrated by a zombie horde of home network routers discovered recently.
Dozens of companies showed off Internet-connected devices and appliances at CES, from intelligent light bulbs to washing machines controlled by smartphone. Samsung went so far as to promise that all of its products would be Internet-connected by 2020 (see “CES 2015: The Internet of Just About Everything”).
Meanwhile, Brian Krebs, a security researcher and writer, revealed last week that hackers had built a network called Lizard Stressor that other people can use to take websites offline, either to create a nuisance or for criminal purposes. Networks of personal computers or servers being turned into “bots” are nothing new. What Krebs uncovered, however, is that Lizard Stressor relies on routers used in homes and commercial networks. Infected or compromised devices that are connected to a home network could be used for more nefarious ends. They could provide a starting point for breaking into personal computers, or be used to capture data passing over the home network, including passwords or credit card details.
The ease with which these routers were compromised is perhaps not surprising. It’s well documented that most home routers ship with easy-to-exploit software or with an administrative control panel that uses a default username and password such as “admin.”
Smart devices typically include similar networking features. And as more home appliances are computerized and connected to the Internet, hackers could turn their attention to these new targets.
Various factors contribute to the insecurity of home networking gear. Consumers typically don’t purchase equipment based on the security requirements used by IT professionals, such as a guarantee of operating system upgrades for a set period of time. Rather, low price drives buying habits, and features are unevenly included across cheaper hardware, even from major vendors.
There is also a tension between tightening security and making things convenient for users. Setting a unique account name and password for every router would be relatively trivial, as would requiring a physical step during authentication such as inserting a USB. But such security moves frustrate many users. And this leads them to make customer-support calls and return such devices to the store.
Even when devices are designed securely, open ports designed to allow legitimate communications with other computers can allow unintended remote access, and software may be out of date. In September, one firm said 1.2 million routers with a common protocol could be easily broached. In December, a bug patched in 2002 was found to still exist on 12 million home routers. A common method for ISPs to access customer routers also is a likely path of exploit for millions of devices.
Devices—even those released by major manufacturers—tend not to be upgraded for three reasons: manufacturers discontinue support to keep costs down; manufacturers go under or exit the business; and customers may be ill-equipped to handle the technical operation of upgrading firmware, which can involve downloading a patch, and uploading one via an administrative interface in a Web browser.
Hundreds of millions of home and small-office routers are already deployed worldwide. The number of Internet of things devices is estimated in the four billion to five billion range today and is expected to grow to 25 to 50 billion within five years. Such devices may have weaknesses similar to those found in home networking equipment, especially as companies rush to produce new products.
Some regulators do seem aware of the pitfalls, and appear keen to forestall the kind of vulnerabilities afflicting previous generations of embedded devices. The U.S. Federal Trade Commission’s chairwoman, Edith Ramirez, delivered an eight-page keynote address at CES detailing her agency’s concern about privacy, data collection, and security, putting Internet of things device manufacturers on notice. Perhaps this time, they’ll listen.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today