Did your smart thermostat contribute to last week’s big cyberattack?
In the future, we will live and work in buildings where the heat, lighting, and appliances are controlled by smart, internet-connected devices that save energy and money and help the grid work more efficiently. Isn’t that great? It seems great.
But then, what to do with the news last week that a robo-mob of clever internet-enabled gadgets was hijacked and used to temporarily bring down many of the most popular websites in the United States? Could our smart thermostats go rogue and help take out the internet?
It doesn’t look like internet-connected energy-saving devices were affected by the cyberattack, experts say. So this attack is not a reason to avoid buying or using them. It is, though, a reminder to make sure all of your smart devices are protected by top-notch security.
Here’s what you need to know:
What was the deal with this attack?
The Internet of Things — or IoT, for short — consists of more than 6 billion devices connected to the internet: security cameras, Fitbits, learning thermostats, what have you. Last week, hackers used malware named Mirai to create a botnet gang of several hundred thousand of these gadgets and attack Dyn, one of a handful of companies that direct traffic across the internet. An estimated 1,200 websites, including Twitter, Reddit, and the New York Times, didn’t so much go down as become impossible to find, because Dyn was too flooded with meaningless requests from Mirai’s zombie bot army to help real humans get where they were trying to go.
Dyn weathered that attack (and the attack after that, and the attack after that attack), but the episode left a lot of people wondering just how great the Internet of Things is after all.
Here’s how Justine Bone, CEO of MedSec, which studies security in internet-enabled medical devices, described the IoT security challenge to me: When you have a bad chip in your high-tech toaster, there’s not too much that can go wrong. Maybe you get some bad toast out of it. Maybe it catches on fire. But when a whole series of badly designed devices are connected to the internet, that can make everyone miserable, not just toast eaters. “An army of toasters can cause trouble,” she said.
You’re sure my thermostat wasn’t involved?
Yes. Here’s how we know: Brian Krebs, a former reporter for the Washington Post who now runs his own site on computer security, became an involuntary expert in Mirai when someone used it to attack his site in September. Attacks like this are fairly common (they’re called distributed denial-of-service, or DDoS, attacks), but the size of the one on his site attracted some attention. Akamai, the company that keeps Krebs’ site running, claimed at the time that it was one of the largest botnet attacks in the history of the internet.
A few weeks after the attack on Krebs, the source code for Mirai was publicly released onto the internet, probably to confuse any law enforcement agencies trying to trace the program back to its source. The code revealed that Mirai works by constantly scanning the internet for IoT gadgets with usernames and passwords that are still set to the factory defaults. Mirai then uses those passwords to make itself administrator of the devices.
So here’s where your thermostat gets a pass. None of the passwords used by the Mirai code are for smart home energy-saving devices.
Craig Young, a security researcher with Tripwire, told Consumer Reports, “I would be confident in saying that most popular IoT devices have not been exposed to the Mirai threat — thermostats, fridges, name-brand cameras, smart outlets, and lighting.”
Thermostat company Nest, perhaps the most well-known maker of smart home energy-saving gadgets, believes none of its products were affected: “To our knowledge, no Nest device has been involved in any of the recent attacks,” it said in a statement.
So what devices were hijacked?
Last week’s attack primarily involved security cameras and digital video recorders being used for surveillance.
The hackers who write botnet software are looking for the low-hanging fruit — usernames and passwords that will let them unlock as many devices as possible. So they targeted products from a handful of companies that make low-cost electronics in high volume, and with terrible security features.
Most consumers who buy easily hackable devices aren’t thinking about internet security — in part because DDoS attacks and the like target public websites rather than individuals. “People just plug in these things and forget about them,” Krebs said when I called him to ask about the latest attack.
“People want to blame the Russians or something, but there’s lots of blame to go around,” Krebs continued. “This is a case of some companies wanting to own this market and dumping cheap hardware and flimsy software. The IoT storm has been a decade in the making, and now it’s happening. The longer we ignore it, the harder it is to fix.”
Many of the insecure devices hijacked last week contain hardware manufactured by Chinese company XiongMai Technologies. When word got out about this, XiongMai announced that it had tightened its security standards and was recalling millions of cameras — even as it threatened legal action against media outlets that it said were issuing “false statements” about the company.
How can I make sure my smart gadgets are protected going forward?
Figuring out how secure your devices are can be tricky, but it’s important — not just to make sure you don’t facilitate DDoS attacks, but to protect your personal data and ensure that you’re the one controlling the heating, lighting, etc., in your home.
A device with good security will require you to come up with a new username and password before you connect it to the internet. A device with not-so-great security will make it possible to change the factory default username and password. A device with terrible security will come with a factory-installed username and password that you can’t change, making it a sitting duck for any program crawling the web and looking for machines that can be turned into zombie minions.
If you’re going to connect something to the internet, go with a brand that emphasizes its attention to security. Companies that are trying to establish or maintain a reputation for security will be much more motivated to patch a security hole than companies that don’t mention security at all.
Smart thermostat makers Nest, Ecobee, and Tado have security information clearly posted on their websites. Nest goes even further; it’s owned by Google, which offers a reward to anyone who can find a security hole in the system. In contrast, thermostat manufacturer Trane, whose various past security holes are described in this blog post, does not highlight security on its website.
“At the end of the day, security is just a symptom of the quality of the product,” said Bone. “If a product is badly designed, that will flow through to mistakes in the underlying software.”
Going for a cheap, off-brand model is not a good idea. “Basically, you get what you pay for,” said Krebs.
What’s the solution to all this poor security?
As security expert Bruce Schneier put it after the attack on Krebs, “the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can’t get fixed on its own.”
The owners of the security cameras that are being used to attack the internet don’t know that their devices have been taken over. Meanwhile, the manufacturers are busy trying to sell new models, instead of patching up old ones. “There is no market solution,” Schneier concludes, “because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
But neither Bone nor Krebs have faith that governments will effectively regulate the Internet of Things, especially given the hot mess that is international trade. More than anything, they think it will be the fear of losing customers that will motivate companies to tighten up their security.
So, do I even want to be a part of this Internet of Things?
Well, you’re reading this on the internet, so you’re already partway there. If you like gadgets, don’t be frightened off from buying smart devices as long as they’re from reputable and well-reviewed companies.
On the other hand, if you think gadgets are overrated, you can feel smug in knowing that there are plenty of low-tech ways to conserve energy.