The Internet of More Things

Welcome to our second Cybersafe CISO Update, where we highlight interesting and emerging topics in the world of cybersecurity.  Last month we talked about the Internet of Things (IoT): the collection of devices other than computers that are connected to the Internet.  These include everything from cell phones to home surveillance systems to baby monitors. Following up on last month’s update, let’s talk about two cyber attacks involving the IoT.

 

In October 2016, 10’s of millions of IoT devices were weaponized and used to attack a major piece of Internet infrastructure

On the Internet, a function called DNS (Domain Name Service) tells your browser how to find every site on the web.  In October 2016, a company called Dyn, which provides DNS services for sites from Amazon to Zillow and many in between, was attacked by an unwitting army of millions of hijacked IoT devices.  Over 75 major Internet sites were taken offline by the attack because users’ browsers couldn’t find them.  The malware that infected these millions of devices, called Mirai, isn’t very sophisticated: all it does is leverage the fact that most IoT devices are shipped with default passwords that are published in the instruction manual, and most people don’t bother to change them.  Since the passwords were known, criminals could infect the devices with malware that put them under the control of the attacker.  The attacker can then rent this collection of hijacked devices (called a botnet) to anyone who needs a malicious task done.  The people who established the Mirai botnet have been caught, but the people who rented it for the Dyn attack are still unknown.

 

New attack demonstrated in security research labs

Old attacks are being recycled in new ways against more modern IoT devices, the Amazon Echo and Google Home. In the same way that attackers used to register names like “Goggle” in hopes that users would mis-type “Google”, researchers have demonstrated that attackers can register malicious commands for Echo and Home that sound like legitimate commands.  One method is to add the word “please” to the name of a real service.  For example, an attacker could register an application with the voice command “Fidelity Please” so when a user asks Echo or Home to “Go to Fidelity, please” intending to ask politely to check their Fidelity account, they instead activate malware that’s queued by “Fidelity Please”.  Similarly, researchers have found ways to embed Alexa and Home commands into recorded music, so that the devices can hear them but people can’t.

 

What can you do? 
There are two concrete steps to take.  First, buy your technology from reputable vendors.  They generally do a better job on cybersecurity than the fly-by-nights and will patch vulnerabilities as they become known.  The extra cost is worth it.  Second, check all your IoT devices and change their default passwords.  It would be a shame if an attacker turned the microphone on your smartwatch because your Bluetooth code was still 1234.