As more of us start using Internet of Things devices, researchers uncover the good and the bad.
First the good. The Ring Doorbell is a WiFi controlled doorbell that allows you to see video, record and talk to anyone at your door. The doorbell has a video camera and microphone in it and Ring provides a smart phone app that makes this all possible.
The doorbell connects to the Internet and your app via your home WiFi.
However, if you take the doorbell off the wall and push the button on the back, you can connect to the doorbell with, say, a laptop, and look at the config file – which contains the password to your WiFi, among other information – all unencrypted.
After being notified, Ring made changes to get the password out of the unencrypted config file and automatically pushed the new firmware to every single doorbell that is online – all within two weeks of being notified.
On the other side we have D-Link that makes a low cost web cam. Researchers extracted the firmware from the camera and discovered how the camera updates its firmware. They were then able to trick the camera into downloading new, infected malware because D-Link does not have any mechanism in place to make sure that rogue firmware does not get loaded. If you can find the camera on the Internet, you can trick it into loading any firmware that you desire. There is no fix for this yet.
Why compromising these devices is a problem is that if this device is on your home (or worse, your business) WiFi network and is under the control of hackers, then the hackers have free roam to any device on your network – your desktops, servers, routers, firewalls and every other device. Certainly, it is possible for hackers to use that device as a launching point to attack your network. And, since your $30 webcam doesn’t even have anti virus software, never mind sophisticated malware detection, the odds of the hacker being detected is almost zero.
Because of this, it is essential that you separate the IoT devices from the rest of your network. One option is a WiFi router that creates a separate guest WiFi that only allows a guest user access to the Internet and nothing else.
Another option is, if you are a cable Internet user, is to get a DSL connection in addition. Typically those run about $15 a month for residential users. You can connect all your IoT devices to the DSL and the rest of your stuff to your cable.
It does not appear that this is going to get better any time soon, so users need to figure out how to defend themselves. You can count on the fact that hackers are already trying to figure out how to compromise your IoT devices.
Information for this post came from Security Now Episode 543.