With the government doing just about zero when it comes to protecting you from Internet of Things security hacks, this leaves the entire burden on you.
A hacker broke into two different GPS tracker apps – he hacked about 7,000 iTrack accounts and 20,000 ProTrack accounts.
In general hacking into someone’s web account might cost them money or lock them out of their account.
But in this case, the problem is bigger.
The iTrack and ProTrack software plugs into your car’s diagnostic port and can control your car. As in turn off the engine as you drive down the road. Or disable the engines of hundreds of cars and cause a traffic nightmare.
In addition, the hacker can track the vehicle location as it travels around the country.
The good news is that the car is smarter than the hacker and it will not turn the engine off if you are going fast.
How did this genius hacker take over almost 20,000 vehicles.
The software for at least one of these products comes from China and they set the password to 123456 .
The software has an API so the hacker brute forced millions of user names like Joe, Sue, Mitch, Car, whatever. After he had a goodly bunch of user names, he wrote a script to try the default password and voila, he was in. Once he was in, he was able to scrape whatever information the user entered into the app. In addition to controlling the car.
So we have two guilty parties here. The software sets default password because it is easier for them.
But the device owners are guilty too. Why did the leave the default password in place?
As we add more and more IoT devices to our life, we add more and more vulnerabilities. In this case, while it is possible to disable your car where it is located, steal some information and maybe spy on you, the possibilities are unlimited.
We have already seen cases where exes who knew the passwords to their former spouse’s IoT devices would turn off the heat in the winter and turn off the AC in the summer.
There are web sites that serve up hacked webcams. A recent case involved a webcam in a kid’s bedroom (Not sure that is great parenting). Of course the parents didn’t change the password. Someone in LA discovered this cam on the web site and managed to figure out that the camera was in Houston. Through some machinations, she was able to figure out who’s camera is was and they got the owner to unplug it.
Story after story, it is a mess. A real dumpster fire.
It is highly unlikely that the government is going to fix this.
This means that YOU are going to need to understand what these IoT devices do, how they work, how you can secure them and then protect yourself.
Alternatively, consider this. There was a story this week about a little kid who said that a bad guy was after her. Her parents didn’t believe her. Eventually, they heard voices coming out of the baby monitor. It turns out someone hacked the baby monitor and was watching the kid while viewing porn.
As gross as that is, it is only going to get worse unless we either unplug from the Internet (which is not likely) or get serious about security.
Source: Motherboard .