One of the things non-techies hate about tech is the complexity of setting some things up, and the rise of IoT, and the ubiquity of smartphones and home broadband has meant that our homes have more and more tech, and that tech is expected to talk to
the cloud, and perhaps talk back.
Manually configuring this gear can be a bit tricky, so there’s a bunch of things making it easier. Your ISP may well provide a router, with default passwords. IP cameras will “phone home” to the manufacturer’s site to register themselves, so you don’t have to manually set up dynamic DNS. That router from your ISP will probably use UPnP so it can open ports for the camera and any other devices. Things like Nest or Hive bypass that by depending on a server
in the cloud on someone else’s computer to make the connection.
All nice so far. Even better, these things are putting my favourite OS, Linux out there. As Linux is free, and powerful, and efficient on the low-power chips in these devices, it gets used a lot.
You’d think I’d be pleased.
But there’s a problem. Lots of these devices have poorly implemented security. Others depend on a hosted service, so if someone decides to stop supporting it, or indeed changes the API you have an expensive paperweight.
The Mirai attacks first turned IP cameras into a huge botnet, and now malware has got its hands on routers: the very device you expect to secure your home network, and let’s not forget that if your IP camera (inside your firewall/router) is compromised, it could be used as a tool to attack your PC, and the router will happily help out by opening ports for it: many cameras have poor web interfaces and hardcoded “root” passwords (I have one myself with a password of “123456”)
I realise I’m sounding a little like a luddite here; or perhaps the techie complaining about tech doing stuff itself and therefore meaning people need fewer techies, but here’s the rub: the more of this stuff that gets out there, the bigger the attack surface, the bigger the gain, and the bigger the effect on everyone. So, a little advice:
1. Think if you really need that IoT device.
2. Change default passwords.
3. Consider tossing your ISP-supplied router. It’s probably shit anyway. Turn off UPnP, even if that means you have to get help opening and forwarding ports. There’s a fucking good reason a firewall closes ports, so why bypass that?
4. Consider not buying the very cheapest IP cam like mine 🙂
5. If you invest in cloud-connected devices, entertain the fact that you just lost control of them.
6. If there’s updated firmware, use it.
7. Linux does not mean secure. The kernel itself probably is, but a lot of embedded devices are poorly secured.