How hackers turn our printers, cameras and thermostats into sinister cyber army

In the fall, several large hacker attacks took place in which IoT devices were used. One of them is for Russian banks. The Daily Poster tells the story of other interesting hacks and explains how attackers harm people through light bulbs and refrigerators.
Internet of things attacks Russian banks
On Thursday, November 10, five large Russian banks were subjected to DDoS attacks – a large number of junk requests came to sites that loaded servers and made sites inaccessible. The attacks went to the Moscow Exchange, Alfa Bank, Sberbank, Otkritie Bank, VTB Bank and Rosbank. Almost all banks managed to cope with the load. Among the possible organizers of the attack was a hacker under the nickname vimproducts, whose customers were allegedly dissatisfied with Russia’s interference in the election of the US president. For a DDoS attack, vimproducts did not use computers, but a botnet of 24 thousand compromised IoT devices.

How hackers crack home devices

In general, the scheme is as follows: the program scans servers and looks for devices connected to the Internet by IP addresses: they can be home cameras, DVRs, printers, routers, thermostats. When they are detected, the system tries to guess the password. Since the owners of such devices rarely change the factory settings, the same username / password pair may remain on them. For example, the Mirai botnet software uses 68 of these pairs: root / pass, admin / 123456, or 666666/666666. When the script gains access to the device, it installs malicious software on it and connects it to the botnet.

How teens launched the most powerful cyber attack in history
The largest attacks are related to one story. In September, Brian Krebs, a security specialist and former journalist for The Washington Post, exposed the owners of the service for vDOS DDoS attacks: its source hacked the site, extracted the database and configuration files. Rummaging through the stolen data, Krebs discovered the alleged owners of vDOS who answered customer questions: Israeli citizens under the nicknames P1st a.k.a. P1st0 and AppleJ4ck. For two years they earned about 600 thousand dollars on DDoS attacks. On the same day, Israeli police arrested two 18-year-old young people (they were later released on bail).

Revealing Krebs was avenged. On the evening of September 20, a powerful DDoS attack started on the site where he published his investigation: 620-665 gigabits of traffic arrived in a second. For comparison: in 2013 the attack was called the most powerful at 300 gigabits per second, in 2014 – at 400 gigabits, and in 2016 – at 602 gigabits. The most interesting thing – the requests were not from computers, but from routers, cameras and DVRs. How many devices participated in the attack is unknown.

How fast can hack your device
The Atlantic Editor Andrew McGill decided to check how quickly hackers can get to a defenseless device. He rented a server on Amazon and made it look like a device with an Internet connection on the program side – in fact, the server simply registered all hacking attempts. McGill launched the server at 13.12, the first hack attempt took place at 13.53, the second at 14.07, the third at 14.10. During the day, they tried to hack the server about 300 times, each time the script tried to pick up a factory login-password pair (for example, root / root). That is, malicious scripts scan servers several times per hour, sometimes even once every few minutes.

How dangerous is it for us?

In 2016, there are about 6.4 billion IoT devices in the world. Approximately 515 thousand of them can be accessed using the usual enumeration of passwords. Thus, the creators of Insecam.com were able to broadcast from 73 thousand cameras around the world. The Mirai botnet, with which they staged the most powerful DDoS attack, could manage about 380 thousand devices (then their number dropped to 300 thousand). Another botnet called Bashlight theoretically uses up to a million devices. To start a chain reaction and control Philips Hue bulbs throughout Paris, a hacker would need about 15 thousand bulbs in the city. It is believed that in Paris there are already 15 thousand such bulbs. In the coming years, the Internet of Things market is expected to grow rapidly and reach 20.8 billion connected devices by 2020. Accordingly, the number of vulnerable gadgets will also increase.

Is it possible to protect yourself from hacking
The simplest thing is to change the factory password and reboot the device (after that, data from installed programs will be deleted from its memory). It is also recommended to regularly update firmware and install a WPA2 security certificate on the router (on older routers it may not be the default). Some devices can also be accessed via the SSH or Telnet protocol interfaces, for which separate factory passwords exist. Perhaps they should also be changed.