SAN FRANCISCO — Your router, home WiFi, refrigerator and webcams could be part of an international army of zombie attackers — without you even knowing it.
That bad news is that's not the plot of a B-grade Halloween movie: It’s the current state of security in the Internet of Things, and experts say there's only so much consumers can do to protect themselves.
The danger was exposed Friday when an attack on Dyn, a New Hampshire-based company that monitors and routes Internet traffic, shut down a significant portion of the Internet.
Dyn was hit with a large-scale distributed denial of service attack (DDoS), in which its servers were flooded with millions of fake requests for information, knocking them offline. The attack was launched by what's known as a "botnet" that used millions of enslaved devices to send those messages. It was the first major attack using Internet-connected devices, but won't be the last, say experts.
Connecting anything and everything to the Internet so it can be app-controlled is all the rage right now. But the security on most of those devices is abysmal, say experts. That's a problem as there are an estimated 6.4 billion Internet connected devices in use worldwide today, according to Gartner.
First, protect the routers
The most crucial thing for home users is to reset the factory password that came with their regular or WiFi router, and turn off the option that allows the router to be managed over the Internet.
This isn’t optional, said Gunter Ollmann, chief security officer of Vectra Networks.
“A newly installed WiFi home router is likely to be compromised within a handful of weeks if the default passwords are not changed — or within a few hours if you live in a more densely populated metropolitan area,” he said.
If your home router or WiFi router is more than five years old, get a new one, suggests Wendi Whitmore, global lead for IBM Security Services.
For WiFi, users should not only change the factor-set password but also make sure that they've enabled a strong form of Wi-Fi encryption If you choose a good one — for example the often standard WPA2 — "you should be fine," said Ken Munro, a partner at security company Pen Test Partners.
Bluetooth wireless devices are actually relatively secure only because they can only interact with other devices over a very short range.
For the rest, we're on our own
Password protection will keep most botnets out, but many Internet of Things, or IoT, devices don't make it possible to add or change them.
When asked to come up with a list of vulnerable products, Ollman flat out said it was impossible. "For starters the list would include pretty much every internet connected consumer device by default," he said.
One of the most common devices used in last week's attack were close-circuit TV webcams, which typically are shipped with default passwords and which generally must be connected to the Internet to perform their function.
Chinese electronics firm Hangzhou Xiongmai Technology, whose webcams were a big part of the botnet, has since announced a recall of the circuit boards and components that go into its webcams, according to the BBC.
For those who need webcams to secure their home or business, Simon Puleo, who does security research for Micro Focus, suggests using major brands such as Nest or NetGear, because they "invest more in quality assurance and security because they have a large reputation at stake."
As for security problems with connected cars, while these have gotten a lot of press over the past few years the danger really is still largely theoretical.
“There have been a number of proof-of-concept attacks on car systems, but so far no significant attack has occurred. In reality, there are simply so many other devices out there for attackers to go after, there’s no great need to attack something as complex as a car’s systems,” said Geoff Webb, vice president or strategy at Micro Focus.
When in doubt, turn it off
As for thermostats, baby monitors, home alarm systems, pool heater, door cameras, and even a smart phone-connected pet feeding systems, the good news is that many use cloud connectivity, so they’re not so much of a threat. Again, higher-quality (and it must be said price-tag) items from major companies like Google are likely to be on the cloud and have good security.
The bad news is that it's not always simple for the user to know how secure they are before buying, and often even after that. Professor Shiu-Kai Chin, with Syracuse University's master of science in cybersecurity program, says consumers should think seriously about why they’d want to connect something to the Internet.
“Today’s ‘Wow! might turn into tomorrow’s ‘OMG!’ In systems engineering we always ask ourselves if something is essential versus 'nice to have.' Added features usually come with added vulnerabilities and risks,” he said.
That's the advice of the researchers who successfully hacked into a Samsung refrigerator last year at DefCon, a large computer security conference in Las Vegas. Samsung later patched the security hole, but many connected appliances remain unsecure.
Without a lot of technical expertise, sometimes the best advice is to simply not use the built-in connectivity, though Munro of Pen Test Partners acknowledges that at that point "you might as well just buy a non-IoT fridge.”
In the end, it may be up to regulators to insist that IoT device makers take security seriously, as companies don’t seem to be up to the task, said Jeremiah Grossman, chief of security strategy at SentinelOne.
“The market economic incentives are out of alignment, which is why regulation is needed," he said.