A few years back, a site that made extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras was corralling live streams, allowing strangers to spy on the feeds coming from baby monitors and security webcams in bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.
Reporters at the Daily Mail who watched footage said they viewed babies in cots, a schoolboy playing on his computer at home in North London, another boy asleep in bed, the inside of a Surrey vicar’s church changing room, an elderly woman relaxing in an armchair, and two men in a kitchen sharing a meal.
That’s old news, dating to 2014. Unfortunately, despite the regularly issued advice to change default passwords on these devices and calls for manufacturers to make them secure from the get-go, little has changed.
On Friday, the UK’s data watchdog – the Information Commissioner’s Office (ICO) – posted on its blog that we’re still seeing people and device makers commit the same mistakes: namely, people don’t secure these gadgets, and manufacturers aren’t incorporating adequate security into their products.
When Ars Technica contacted the ICO, it declined to name whatever sites it’s spotted offering these live streams.
But a spokeswoman told Ars that as it is, you don’t need an intermediary website to spy on people, given that you can directly connect to them. After all, they’re easily findable with search engines.
Ars quotes her:
With reports of many billions of IoT devices due to be connected by 2020, this is a problem that needs to be addressed now. We wouldn’t recommend any specific models but would advise consumers to follow our tips when purchasing and setting up an IoT device.
Even the most secure device can be subject to unauthorised access if the username and password was set to, or left as, admin.
Unsecured Internet of Things (IoT) devices pose more threats than just privacy invasion, noted the ICO’s Simon Rice, Group Manager for Technology.
Using connected gadgets that aren’t secured opens us up to the possibility that our private information is also susceptible to being exposed, he said.
A lack of security when it comes to IoT devices could mean that a search engine is used by criminals to locate vulnerable devices and then gain access to them or others on your home network.
An attacker could then use your equipment to mount attacks on others or take your personal data to commit identity fraud.
We know of one IoT gadget search engine in particular that keeps popping up in headlines: it’s called Shodan.
Shodan crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.
It’s bad enough that everyday objects – things like kettles, TVs and baby monitors – are getting connected to the internet with elementary security flaws still in place.
But the fact that they’re easily discovered via a search engine like Shodan makes the situation even worse.
We can’t hold consumers responsible for all of these unsecured connected devices. As it is, manufacturers could do more: they could, for example, ship devices with passwords that are unique to each device. They could also manufacture devices that require password changes upon installation.
The ICO spokeswoman said that manufacturers should “subject IoT devices to a robust security test before launch and for every subsequent firmware update.”
Ars quotes her:
They also need to commit to supporting devices for a reasonable length of time following launch and act quickly on reports of security vulnerabilities. They should also make the devices ‘secure by default’ and make the user interface intuitive.
Security should not be left up to the individual to configure the device through a difficult to navigate user interface.
The ICO’s Rice says that the office is, in fact, continuing to work with manufacturers on how to improve the situation.
That doesn’t let consumers off the hook, though, he said. If people don’t protect themselves and their families when using these devices, they might find personal files easily accessible through popular search engines, casual browsing or the efforts of determined attackers.
The ICO handed out these basic tips on how to be safer when using IoT devices:
- Research the most secure products before buying. For example, some mobile phones have never, and will never, receive security fixes.
- Secure your router with a strong password. Some routers don’t even use a password, while some rely on a default password that’s easy to guess. Here’s how to cook up a strong one.
- Secure the device by changing its default user name and password. The ICO notes that default credentials for many devices are freely available on the internet and can be located with ease. Again, choose a strong password, and make sure it’s unique. As it is, there are tools that automatically sniff out reused credentials, making it even easier to get into all the sites where you’ve reused the same password..
- Check manufacturers’ sites for known security vulnerabilities. Don’t leave vulnerabilities on the back burner: make sure to update the software in a timely manner.
- Don’t just plug and play. Instead, take the time to read the manual: there might be extra security and privacy options available.
- Use two-step authentication (2FA) whenever possible. 2FA isn’t infallible, but it’s damn good at keeping crooks out of your accounts, even if they pilfer your username and password.
Mahhn
What am I missing? Doesn’t every dsl/cable/fios have a firewall at each house, with the default rule of block all unless requested? This alone should make all internal IoT device safe-ish. Do some ISP hook people up as a LAN with no default protection? (like Comcast did in the early ’90s in neighborhoods)
Jim
I’m not sure. I sincerely doubt they’re securing them with unique passwords. How would they access their nodes?
I always put my own firewall just inside the ISP’s device(s). While ISPs certainly have better throughout-the-company security than I do, I would put my security up against individual user NODES on their network any day.
Bryan
Hah, I recall that even in the late 90s (midwest) under Comcast (née AT&T@Home, née Excite@Home). I put four VLANs on a 3Com switch–including an external one–and could connect a spare computer to, grab an extra public IP, and debug my firewall–OpenBSD, FTW–from the outside. Ah, the good ol’ days…
Agreed on safe-ish defaults, with one prevalent exception–if someone doesn’t bother with good security on their WiFi then IoT devices on it will be readily accessible…no one remembers the security of the wire while touting untethered wireless
Andrew
One of the key features of the Internet of Things is its integration with the cloud.
In my experience, once set up, these devices (WeMo, LifX, etc.) offer the ability to gain access to them from remote locations via the cloud. This then allows you to turn on your lights, heater, open the garage door, etc from a remote location – very handy stuff…..except for the fact, if you can access it, it introduces the possibility of others doing the same…
So while the router may not allow you to directly connect to a device from a remote location, once you have a connection to the cloud, these restrictions are largely useless.
Paul Ducklin
+1.
Simply put, in many cases, if the IoT device can connect out to site X, then it’s theoretically listening for inbound traffic send inwards on its outbound connection. (Once open, TCP connections are two-way, full-duplex, in-as-well-as-out links.)
Sadly, this is the same principle that most bots and zombie malware use :-( Call home. Fetch the next load of commands from the drop site. Firewall? What firewall?
Mahhn
Okay, so it’s the device making the initial Outbound connection,, cloud services and their sloppy connectivity is the issue. This would be a good spot for a tutorial on configuring a firewall to deny all outbound traffic from anything but one (or a couple) approved devices (PCs) and setting up that free VPN that Sophos has to access the one PC, which can control all the IoT devices. But I guess that would be expecting to much from people, especially ones that don’t change default passwords…. okay, back to blaming the device makers for not requiring people to change passwords as part of enabling/installing the devices.
Paul O'D
Firstly – Thanks Mahhn for re-raising the point of Firewalls being useful for providing a level of security for the likes of Webcams and such.
Paul Ducklin and Lisa Vaas – I love Sophos’ articles, but on this item, I think there is a really good opportunity for you to elaborate in your great “plain English way” as to how an individual’s Firewall can give some protection.
As I have yet to read an article (anywhere) on the dangers of remotely accessing webcams that explains (even in general terms) how to use your firewall to protect against it.
Maybe including how to check to see if your webcam is making outbound connections or listening for inbound traffic
Keep up the good work.