Have you any smart internet connected IoT devices in your home?

IoT Devices hacked

If so, you may be an unwilling accomplice to the evil doers who are attempting to disrupt the internet.

Do you have any one or more of the following Internet of Things – IoT devices which you can access from outside the home, over the internet:

  • Security Cameras or Digital Video Recorders (DVRs)
  • Baby monitor
  • Smart sockets
  • Smart light bulbs
  • Smart Thermostat
  • Energy usage monitor
  • Smart fridge
  • Media Server

All of these IoT devices should have a password on them to secure them from unwanted access. However, if you have not changed the default password, or the device has a hard coded password (which cannot be changed), then it is a trivial matter for the bad guys, who have tools that are constantly scanning the internet for such IoT devices, to find and take control of your device(s) without you even realising it.

They mainly do this to make use of it’s connected capabilities, though there have been other disturbing stories (more on this later). Just last week a new record was set for the biggest Distributed Denial of Service (DDOS) attack:

Octave Klaba, the founder and CTO of French hosting company OVH, sounded the alarm on Twitter on the 22nd September when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799 gigabits per second alone, making it the largest ever reported.

According to Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of between 1 megabit per second and 30 megabits per second from every single device, this botnet is able to launch DDoS attacks that exceed 1.5 terabits per second, Klaba warned.

Let’s put that figure of 1 terabit per second into perspective. If you are an eir or Vodafone Broadband customer, you will have a package that can be up to 70 or 100 megabits per second. If you are a Virgin Media customer, you will have a package that would be up to 240 or 360 megabits per second. So these are megabits.

A gigabit is 1 thousand megabits. A terabit is 1 MILLION megabits! That is a LOT of crap data to be throwing at some servers that are designed to handle a fraction of that.

And the source of this crap data … nearly 146,000 digital video recorders and IP cameras that have been taken control of by the criminals. Probably because nobody changed the default password and they opened access to the devices to the internet. They were then instructed to constantly send gibberish data at specific servers that the evil doers wanted to disrupt.

As for the other more disturbing stories, here is one about parents of a 3 year old boy discovering that some stranger had hacked into their baby monitor and was watching the night-vision video feed and talking to their child via the in-built speakers.

So the moral of the story is – put a password on every device that you have that connects to the internet in some way and disable/change any built-in accounts. If you take the Using the Internet Safely training from L2 Cyber Security Solutions, then you will see how easy it is to create unique and strong passwords for all sites and applications.