Millions Of Hijacked “Smart” Devices Already Aiding Criminals, Research Finds

Image courtesy of Mr. Seb

Ever since “smart,” connected devices began to form the internet of things a few years back, some experts have warned that we could be facing a future where your toaster, washing machine, and TV become part of a sophisticated botnet used to attack others. Well, those experts say, the future is now.

The new threat report (PDF) from internet hosting and research firm Akamai reminds users, device designers, and network administrators alike that as the web of Things out there that can access the internet keeps growing, so does the potential for attack.

Millions of the connected devices being sold and brought online every day are poorly secured at best. We’ve covered it happening with everything from baby monitors to firearms in recent months.

Huge swaths of devices ship with well-publicized default passwords or no passwords at all on them, making it trivial for someone with bad intentions to access them remotely. That covers the entire gamut of appliances and gadgets, from coffeemakers to routers to thermostats to televisions, and anything in between.

And those, Akamai says, are exactly the problem. Anyone with the mind and technical ability to do so can use all those “smart” but-not-smart gadgets as a giant computing network to do, well, whatever nasty things they want.

“We would like to emphasize that this is not a new type of vulnerability or attack technique,” Akamai writes in the report, “but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.”

“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” Ory Segal, senior director of threat research at Akamai said.

“New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality,” Segal concluded.

This is not small-scale; Akamai concludes that at least two million devices have been involved in recent attacks, which aren’t just theoretical.

Earlier this fall, a record-breakingly huge denial-of-service (DDoS) attack was sent against security researcher Brian Krebs and his website. Later investigation proved that the botnet that took the site down largely used IoT devices still using their factory default passwords.

Krebs today also featured a new post explaining that networked, poorly-secured devices are also used by criminals to generate big proxies that hide their real location. A researcher investigating the issue told Krebs that he was able to track the various “honeypot” systems he set up as being traded and sold as available, malware-infested proxies in exchange for bitcoin.

“In a way, this feels like 1995-2000 with computers,” the researcher told Krebs. “Devices were getting online, antivirus wasn’t as prevalent, and people didn’t know an average person’s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world.”

Or for another example: hackers either steal or buy a whole big set of username and password data, from some hack or other (like, say, Yahoo). That data is valuable not because it can get you into the system it was stolen from, but instead because of the human tendency to reuse username and password combinations across several platforms.

But if you’ve got a list of 50 million usernames and passwords, testing them all against a whole host of other sites is going to take a lot of time — or a lot of parallel processing power. Your enterprising hacker wants access to a whole lot of computer that can send a whole bunch of probes at once.

In short: more internet, more things. More things, more access. More access, more motive and profit. And so the cycle continues.

The good news is, there may be something you can do. If you have any internet-connected devices in your home — including your router, TV, washing machine, or anything else — you may be able to change the default password for gaining access to it. If you can (google for the device model), you should.

Akamai Threat Research Team Identifies New Abuses of OpenSSH Vulnerability [Akamai, via the Wall Street Journal]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.