Cybersecurity Blog

Password reuse results in missile alert terrifying a family – 01/24/19

A Florida family was terrorized by a notification coming from their Nest security camera alerting them of a missile launch by North Korea.  Interestingly enough, until they heard the alert the family didn’t even know the camera had speakers.

 

 

Although the traumatized mom blames Nest for not notifying their users of a data breach, it wasn’t Nest who was breached. The data breached occurred elsewhere. As the family reuses passwords, once one of their accounts was exposed it left all of their accounts vulnerable.

Although it certainly would have been a nice bit of customer service for Nest to notify their account holders that they should change their passwords if they reuse them, it is not their legal responsibility as they were not hacked. The responsibility for notification lies with the breached account provider.  The family didn’t say whether that notification was received.

Regardless of whether Nest should have notified their users or not, this poor mother still had to watch her terrified nine year old son crawl under the carpet in a panicked attempt to protect himself from nuclear missiles.  No mother should have to experience that.

How do you prevent your family from being traumatized by a prankster hacker?

  1. Be familiar with all the features of your  camera before you buy it. Know if it has a microphone or speakers, connects to the internet, whether the default password can be changed, how the firmware is updated and where recorded video is stored.
  2. Change the default password as soon as you set up the camera. Use a unique, effective passphrase.
  3. Update the camera’s firmware as soon as it is installed and keep it up to date. If it has an automatic update feature, enable it.
  4. Disconnect the camera from the internet when you aren’t using it.

Taking these steps will greatly reduce the chances of your camera being hacked. These same steps can be taken to secure any IoT device.

Our world is rapidly changing with technology creeping into all aspects of our lives. It is important that we change with it to ensure our families safety. That means we need to be aware of the risks associated with the devices that we bring into our homes and how to mitigate them. As this Florida family has learned, tech companies aren’t going to do this for us even if we are 114% certain that they should.

 

Your IoT devices are vulnerable even if you have a firewall – 01/08/19

 

If you have been reading this blog at all, you will have seen my plea to change your default password on any device that connects to the internet. Those of you who are more on the ball may have wondered why this is necessary if you have a firewall on your router.  Won’t the firewall keep an intruder out? The answer is yes and no.

Lets look at how an internet connected device works and then it will become more clear. What makes internet connect devices or IoT devices so handy, is through the internet they connect to a server that provides extra functionality. This allows the IoT device to stay small and less expensive as it doesn’t need a bunch of computing power.  It uses the computing power of the server instead. This also allows you to benefit from the data sent by other people’s IoT devices.

All traffic in and out of your network goes through a router which is protected by a firewall. The firewall blocks most malicious traffic, but it can’t stop everything. If it did you wouldn’t be able to connect to the internet at all.  The router acts like a mailman making sure the  data it receives gets sent to the right device. The first time the data is sent the router  doesn’t know who the data is from or where it goes.  It has to check the routing information on the data to figure this out.  This  can slow traffic down considerably if it has to be done every time data is transferred.

To speed the process up, the router remembers the routing information for certain types of data coming from certain types of devices. Once it is remembered, all data from that remembered device outside your network is delivered automatically to the remembered device inside your network . Hackers take advantage of this efficiency by impersonating a remembered device. In the case of an IoT device, the router thinks the data is coming from the IoT server but it is really coming from the hacker’s computer. If this happens the only thing protecting  your IoT device and your network is the device’s password.

So ,yes, your firewall will protect all your devices from an attacker trying to get into your network. However, no, it won’t protect you once an IoT device has communicated with it’s server. This is why it is so important to change the device’s default password and to make sure the new passwords are strong.

 

 

You have 5 min to change the password on your IoT device before it is attacked – 12/17/18

 

Last month the company Netscout, set up a honeypot to see how long it would take for an Internet connected (IoT) device to be attacked once it was connected to the web.  Hold on to your socks. It takes an astounding 5 min for hackers to try to login to your device using a default password.  That is all you have to change that default password, 5 min.  Wait longer than that and they gain access.

Should you successfully get your password changed, you are not in the clear yet. Attack number two will happen in less than 24 hours. That is when criminals will try to use known vulnerabilities to hack into the device.  This gives you less than 24 hours to update its firmware/software and patch those vulnerabilities.

Why should you care if someone gets access to your IoT device? Once accessed the hackers can make your device part of a botnet and use it to attack other organizations or companies by distributing malware or perpetrating a DDoS attack.

Should you get a cool IoT device for Christmas whether it is a Google Home, Echo Dot, smart light bulbs or a smart thermostat, change the default password immediately and download and install any updates.  Not only will you be protecting your device, but you will be making the Internet a safer place for everyone.

 

Buying tech this Christmas? Check out its creepy factor – 11/20/18

 

This year, there are tons of cool tech gadgets on the market. Everything from teddy bears that connect to the internet to personal alarms. As neat as all of these devices are, some of them have the potential to leave the users feeling exposed and violated.

Thankfully, the good folks at Mozilla have put together a terrific website that examines the privacy risks of the hottest tech gifts. At privacy not included you can find out what information a device collects, what is done with that data and what kind of security the device has. They also rate customer service. To make it extra fun, consumers can give each item a creepiness rating based on how comfortable they would be having that device in their home.  Check it out.

 

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.

Messaging stuffed animal a security risk – 06/11/18

 

CloudPets allows kids to send and receive messages through an adorable stuffed animal. Unfortunately, last year hundred of thousands of kids using CloudPets had their data and voice messages exposed. You would think that after such an incident, the company would take measures to fix the vulnerabilities that allowed that to happen. However, researchers have found that over a year later, nothing has changed. The toys remain full of security flaws that can easily be exploited.

Fed up with the companies clear lack of concern over their user’s privacy, Walmart, Target and Amazon have pulled the toys from their stores. If one of your loved ones has a CloudPet, I strongly recommend that you disconnect it from the Internet until the company addresses their security issues.