Last week’s internet meltdown proved that seemingly harmless devices that are connected to the internet, such as routers, cameras and printers, can be turned into powerful cyber weapons.
Three “denial of services” or DDoS attacks wreaked havoc on Friday, knocking popular websites offline, including Twitter, Spotify, Amazon and Reddit.
And it’s feasible one of the cyber soldiers used in the attack could be sitting in your home — but you wouldn’t even know it.
Related: Who Shut Down the Internet on Friday?
Hackers Exploit Security Laziness
It appears at least part of the attacks came from Mirai, a type of malware that looks for connected devices using factory default usernames and passwords, according to experts. Those devices were then part of a botnet, which is sort of like a cyber army that was used to flood its target with junk traffic so it can’t function.
“Manufacturers often deploy these devices without concern for various types of tampering, nor are they aware tampering is plausible,” Robert Siciliano, CEO of IDTheftSecurity.com told NBC News. “We definitely have a lot of work to do. Any device that has an IP address is vulnerable to tampering.”
Gartner estimates there are 6.4 billion connected “things” in use this year and predicts the smart home ecosystem will only continue to grow, with as many as 20.8 billion devices online by 2020.
That means manufacturers and consumers are going to need to take smart home security more seriously, Jason Haddix, head of trust and security at Bugcrowd, a bug bounty company, told NBC News.
Related: A Behind-the-Scenes Look at Hackers Who Get Paid to Find Bugs
“Security is definitely a supreme afterthought -,” Haddix said. “These manufacturers have been rushing to put out software updates. Security was never thought of as a thing because these were just a part of your local network. Now, security is baked on or nonexistent.”
Don’t Use a Default Password
Haddix and Siciliano both say the first thing consumers can do now is to make sure they’re not using the default manufacturer’s password. This is the exact thing that made it easy for Mirai to compromise so many connected devices.
That rule goes for everything from wearables to your home security camera and smart speakers.
“The devices generally come with admin as the actual username and password as the password,” Siciliano said. “You want to change that up to something that isn’t a known.”
Look for Software Updates
Make sure to download any new software and firmware updates when you receive a legitimate prompt for your connected device. These may not only improve function, but may also includes patches for any security vulnerabilities that have been discovered since you purchased the item.
Siciliano said he relies on a Google search before setting up a new device, telling NBC News, “It’s always a good idea to seek out the name of the device and search the term ‘firmware update and or software update’ and also the term ‘vulnerabilities.”
This will allow you to make sure you haven’t missed any news from the manufacturer, while also letting you know if researchers and hackers are discussing any issues online.
Research Before You Buy…Or Before You Take It Out of the Box
“With the marketplace getting larger — whether it’s a camera or a DVR, do some quick Google searching around the brand and see if it has a track record for doing security right.” Haddis said.
If it says they’ve had some security issues but have worked fast to communicate with customers and quickly issue a patch, then that shows the company is on top of their security, he said.
Siciliano said it’s possible your new smart device could even come to you with a flaw, right out of the box.
“That means in the manufacturing process, they may have had a flaw the manufacturer was unaware of. These flaws general revolve around the firmware or the software,” he said. “When this occurs, these unknown or potentially known vulnerabilities can allow a hacker to essentially access the device and whatever the device is connected to.”
Keep the Packaging
Siciliano said he even goes so far as to keep the packaging from his devices.
“Those labels that come on the packaging can be very helpful,” he said. “Plus you don’t want anybody pulling those boxes out of the trash and knowing what you have. Destroy them.”