The idea of interacting with our virtual doorbell through applications like Ring is naturally attractive. No longer stuck at home waiting for a delivery or a service tech, we can simply wait for the message to come through that somebody is on our doorstep.
But wait. Are you aware that the very same device and application you bought in order to make your life easier could actually be a way in for a digital attack on your home network that can then travel through to other smart endpoints? As well as your Wi-Fi router, DVR, computers and more?
Earlier this month, the Mirai and Bashlight botnet attacks flooded Dyn, one of the largest domain name service providers in the world, causing Internet outages affecting Twitter, Box, GitHub and more. The attacks happened so fast it was initially hard to keep up with the impact. In the U.S., given the media attention being paid to the upcoming Presidential election, the reporting around this largest Distributed Denial of Service (DDoS) attack was minimal - until Twitter was down.
But the loss of Twitter for politicians is nothing compared to what the real implications of DDoS attacks through the Internet of Things (IoT) may be in the near future.
While you bought Ring to secure your home, you may not have imagined that Ring could actually become one more vulnerability point for those virtual thieves who come into your home - and your digital life - to rob you of your identity, your bank account information, and more.
In an interview last week with CTO and COO of Corero Network Security, Dave Larson, I learned a lot about the "October Surprise" and how it is impacting and potentially dramatically limiting the potential of smart home invasions and more.
Given increasing data showing the DDoS attack was mounted by the Mirai botnet, which includes smart home Wi-Fi routers and IP video cameras that began sending massive numbers of requests to Dyn's DNS service after the code for the Mirai botnet was released publicly, Larson said "Awareness is key. Consumers and their service providers and the IoT ecosystem can all reduce risks by understanding how criminals are able to hack and attack our connected lives, and taking steps to protect ourselves as consumers and demanding that our Internet Service Providers also protect us in the event of another attack."
"Mirai malware looks for and commandeers connected consumer devices that are protected only with default passwords and user names," Larson explained. "Because there is so little awareness about the vulnerabilities associated with something like a simple WiFi router, automated thermostats, and doorbells or IP security cameras, consumers are setting these things up without changing the password. Since the defaults are the most always identical in mass produced devices, the attackers' code can easily take over these devices begin sending requests by the millions, flooding the internet within minutes."
So, when we meet at the intersection of IoT and RTC - are the risks magnified? Yes. When the attacks are able to get in through, let's say, your Ring doorbell, then travel to your personal computers. Because the IoT is relatively new, and because consumers largely have not been educated about the importance of securing their smart devices, not just their laptops, tablets and phones, it is, to quote Larson, "the Wild Wild West."
"It's frighteningly simple to attack the IoT compared to having to phish for human error in order to compromise a PC or phone," Larson said. "Sservice providers like Level 3, AT&T, Verizon, Time Warner, Century Link and more, here in the U.S., are paying attention because regardless of where a DDoS attack comes from, if they are not prepared their services will go down, and essential cloud based services for businesses, not just consumers, can be compromised."
We asked Larson what consumers can do to ensure their smart homes do not become part of these attacks, which then presents a threat to their lifeline real time communications including voice and other messaging services.
"It may sound overly simple," Larson said, "but change your user name when you install the device, and change the password. Common and default passwords are so easy to hack, and when your DVR is attacked, that one device can open up the spread of the attack to other systems including your computer where the attackers could steal bank account and credit card information, and more."
Larson also suggested that Internet Service Providers add real time mitigation technologies to their network management stack. "Real time security solutions enable ISPs to immediately sense and stop new attacks, including DDoS. And all these service providers can benefit from continuing to collaborate, sharing real time information and building standards while adopting the highest quality security solutions since internet traffic is constantly being shared through interconnection agreements."
Speaking of the political climate, we asked Larson what government agencies and other organizations should do to reduce and eliminate these criminal activities being launched on the Internet of Things?
"I am confident several government agencies are analyzing the Mirai and Bashlight attacks," Larson said. "It's now a matter of public safety security as well as economic security given the enormous and growing reliance on the internet to conduct business in the U.S. and around the world."
Many IoT innovations are truly fantastic, yet it is clear that while we continue to imagine and build our connected futures, our "smart" connected futures will need to include secure applications and services, so attacks against things and people, against IoT and RTC, are identified, managed and mitigated in real time and we are not left vulnerable to attacks that may have unwittingly been made possible through the "progress."