Industry News

The Hackers Inside Your Security Cam


Drew FitzGerald | Tuesday, March 21, 2017

The Wall Street Journal

While Bea Lowick's customers were busy folding clothes last year, the security system at her Carbondale, Colo., laundromat was also hard at work.

Though she didn't know it, Ms. Lowick's Digital ID View video recorder was scanning the internet for places to spread a strain of malicious software called Mirai, a computer virus that took root in more than 600,000 devices last year.

Ms. Lowick, 59 years old, said she wasn't aware the device was doing anything other than acting up. Her remote-viewing app kept disconnecting. She was able to reconnect it by restarting the digital video recorder.

"I would have to go in and unplug and plug in the DVR" to fix it, Ms. Lowick said, adding that she didn't know that unwanted software was to blame.

The culprit went unnoticed because Mirai usually doesn't take full control of its hosts but rather uses their computing power to attack websites, many of them halfway around the globe. Most victims aren't aware they are infected.

Researchers at two independent security firms confirmed a device using the laundromat's internet address hosted the virus.

Bill Knapp, who installed the laundromat's surveillance system, said he learned of the virus after being notified by a reporter.

"One of the hardest parts of this business is that everyone loses their passwords," said Mr. Knapp, owner of Security Solutions LLC. When Ms. Lowick forgot her password, he said, Digital ID View would reset the DVR to its default password, "123456" -- a weak but common option that opens the door to attackers. Compulan Center Inc., which does business as Digital ID View, said it was investigating the situation but didn't believe its product was responsible for the problem.

"Within nine seconds of turning on these things, they get hit," Steve McGregory, a researcher at security firm Ixia, said of machines that are poorly secured.

A wave of inexpensive webcams, thermostats and other internet-connected devices are hitting the market, many of them carrying minimal safeguards against remote hacking. Hundreds of thousands of these machines already host malicious software, unbeknownst to their owners.

As a result, the internet is constantly under attack, making websites harder to defend and raising costs for a wide range of businesses. The vulnerabilities are an open secret in security and technology circles, but there is no consensus on what to do about it. A handful of industry groups have agreed upon some basic principles to improve their products, such as automatic security updates, but compliance is voluntary.

The power of so many devices working in tandem became clear in October during an attack on Dynamic Network Services Inc., an internet-address service that helps run thousands of websites and is also known as Dyn. The assault made sites like Amazon.com Inc., PayPal Inc. and Twitter Inc. unavailable for hours.

The foot soldiers in that online campaign and many others weren't desktop computers but security cameras and everyday electronics connected to the internet. Each day, networks of infected devices hurl waves of junk data at dozens of websites in an effort to knock them offline.

Security researchers are constantly finding new flaws in connected devices. Some allow voyeurs to peer into internet-enabled cameras. Others give hackers a jumping-off point to infect computers where bank-account information and other sensitive data can be pilfered.

"The devices continue to function and that's mostly what the owners are concerned about," Ixia's Mr. McGregory said. "Who's responsible for it? There's a line of people that you could look at and say, 'You should probably do more.'"

The victims found in research from Ixia and from Qihoo 360 Technology Co. included an Altice SA customer in Brooklyn, N.Y., with a hacked video camera, and a Comcast Corp. customer in New Mexico who was part of a Mirai botnet found attacking at least three wireless operators in Liberia.

Denial-of-service attacks also leave collateral damage. Residents of Lappeenranta, Finland, learned that the hard way in November, when an attack on a British gambling website inadvertently knocked several digital thermostats offline, leaving many buildings without heat at the start of winter. The temperature controllers weren't the source of the attack but acted as relays, wreaking havoc on their owners' buildings in the process.

Jussi Rantanen, chief executive of Fidelix Oy, which automates building heat systems, said at least 40 devices in homes and businesses appeared to restart repeatedly during the assault. The problem could have been avoided if landlords had secured their connections, Mr. Rantanen said.

It took about an hour to fix the problem by finally disconnecting the thermostats from the internet, he said.

In the U.S., the Federal Trade Commission has tried to flex its muscles in court against some manufacturers. It sued hardware maker D-Link Systems Inc. in January, accusing it of falsely advertising that its machines were secure despite several vulnerabilities. D-Link denied the allegations in the case, which is still pending.

Netgear Inc., a router maker, issued a software patch in December after a researcher found vulnerabilities that could allow hackers to take over home networks. While some of its routers update automatically, making them more secure, that gives users less control over their networks.

"It's kind of balancing both these requirements," said Sandeep Harpalani, a Netgear project manager. "Do you force it on the customer or do you give them a choice?"

Broadband providers say their hands are tied because their customers choose what to plug into the internet.

"We do beat on vendors, but we don't have a lot of leverage," Comcast engineer Paul Ebersman said at Nanog, an industry conference, in February. "We could name and shame, and we have lots of lawyers, but so do they."

Susan Yarbrough, 63, a retiree who lives near Sparta, N.C., didn't know until recently that her home network had been infected. She said she mostly used her computer to see her grandchildren on Facebook.

Shortly after Christmas, a technician from her broadband provider called to ask if she owned a Netgear router. The technician received a list of infected IP addresses through the Department of Homeland Security. "Then I really got deer in the headlights," Ms. Yarbrough said. "It's scary to know that those things happen." ---

How to Secure

Your Smart Home

Spotting computer viruses is getting harder as threats spread from well-protected PCs and phones to cars and household appliances with fewer safeguards. Experts say it's hard for consumers to detect all viruses, but users can still follow a few low-tech steps to protect their homes.

Pull the Plug

Many computer viruses found on home routers, digital video recorders and cameras won't survive a hard reset. That is because the unwanted software lodges itself in the machine's temporary memory banks instead of its permanent storage. Powering off the machines if you suspect an infection can help clear the most basic malicious software.

Quarantine Before Curing

Malware can reinfect clean devices in seconds, so it is important to sever the machines' pathway to the internet before restoring power. You can still access the equipment's login screen over home Wi-Fi, but first you should disconnect your Wi-Fi from the internet to prevent instant reinfection. And many devices don't need to go back online to work. "Pretty much, if you don't need it or aren't using it, don't be afraid to turn it off, mute it or unplug it," says

Yolonda Smith, product manager for security firm Pwnie Express.

Fix the Password

Before restoring internet access, use the machine's control panel -- accessible over Wi-Fi from any nearby laptop or desktop -- to reset the password. Some of the most powerful computer worms spread by exploiting devices' default credentials, which can be "admin" and "12345." A unique username and password will protect the machine from many of the threats plaguing the internet.

Stay Up-to-Date

Most responsible manufacturers offer software patches once they're aware of a security vulnerability, but many companies leave it up to the user to take the initiative. If a company offers smartphone- or desktop-management software, download it and make sure automatic updates are enabled. Steer clear of any internet-ready device that isn't able to patch itself.

Batten Down the Hatches

Home routers usually ship with a preinstalled firewall -- an electronic barrier that filters unwanted internet traffic. But not all firewalls are of equal strength. Many homeowners can tweak their router or modem settings to apply stricter rules to suspicious internet traffic. If you're very worried, you can buy specialized firewall equipment, which has come down in price in recent years.

This article was licensed through Dow Jones Direct.

Share

Tagged in: industry news

Contact us

Learn how FIS can help you stay on top of industry trends and address your business challenges.

Contact us