Is Your Baby Monitor Working for ISIS?!

Probably not, but reports on the recent DDoS attacks on Dyn say that the botnets employed in the attack were populated by highjacked Internet of Things devices.

I recently acquired a Thing of the Internet (too many instances of coming home to see I forgot to close my garage door) and I want to make sure it doesn’t fall for the persuasions of digital extremists.

How would I know if my connected device has been recruited? Is there a list of commonly exploited housewares? Are these devices vulnerable out of the box, or does it involve the user falling for some exploit?

If voices in Arabic start cooing out of the baby monitor, you probably should change the password.

Unfortunately, that’s difficult to know easily.

If there’s any sort of default password, change it. If there’s any sort of passwordless way to connect externally, block that method.

Do a search of the manufacturer/model, see if it’s a product known to be vulnerable (or if the manufacturer has a lot of security types about other products that are vulnerable, be suspicious even if yours is not specifically listed)

Your internet router may have methods to allow/block certain access to devices. If so, and if you know some specifics on the connection, this can help as well–for example if you know the baby monitor connects on port 8073, then you might be able to limit connections to just that port, which can help to limit what attackers can do even if it’s compromised. Again, web searches may help if the device instructions don’t give details.

This is where I’d start. Just block the stupid things from being seen on the Internet. Perhaps there’s a setting on the device itself to limit to local net access only.

The simplest method is to find the IP address of the device and just block it from connecting out on the Internet. The big catch is that it probably is obtaining a dynamic IP address from the router. In which case you find the MAC address of the device via the router and assign a fixed IP address to the device. Then block it.

(You might be able to cut out a step or two if you can block outside connections via MAC address.)

Note that this means that you can’t access your baby monitor/security system/thermostat from the Internet. Good.

Changing the default password and such only stops the stupidest of port scanners. Waaay too many of these devices have trivial to bypass “security”. You need to keep these devices off the Internet at large completely.

The IoT devices that are being abused are devices that are intentionally designed to have a visible internet connection. Historically and mostly, that means modems and routers. Recently, it also means security cameras. Potentially, it means printers and, like you fear, IoT controllers.

The good news is that IoT controllers don’t yet have a reputation for, or a history of, DDoS abuse. The bad news is that to connect to it from the office, you probably have to go through the internet to your home modem / router/ WiFi device. Some of those are so poor that the advice actually is “throw it away”…

Anyway, hardening your home network has to start with a good hard look at your directly connected internet divices: Your phone, your 3g/4g modem, and your home modem/router.

In general - you should only have to worry about your router/firewall device. The only exception to this, is any device where you have to program your firewall to “port forward” or pass through to that device.

The vast majority of devices 'call home" to a central server; so the internal device initiates the conversation (hence no need to open the firewall inbound) and only initiates the conversation to the central server.

I suppose someone could somehow spoof the IP of the Nest central server or some other device and imposter its way in. But, that’s a much more complex route to take over.

The problem is that you should not allow any outside connections if you can help it, into your router or through to your internal devices. Some of these devices have built in back doors that they don’t tell you about (a lot fewer do today, I hope); plus, sometimes people leave ports forwarded and forget.

Part of the problem is that modern devices, with modern router/firewall devices, do that automatically.

I think that the security cameras which have just been withdrawn from the market used the uPnP protocol to do that. Probably recent home IoT controllers would try to do the same. And of course, any IoT controller that you can actually control from outside the home (as suggested by the OP), must have a path through the router, either automatically or not.

These were older versions of the DVRs and cameras produced in China (apparently, mainly for Chinese businesses.) News reports say the process used to hammer these so they were compromised used a form of repeated telnet attempts.

Maybe because they are security systems for businesses, they were directly connected to the internet; or had ports opened so cameras outside the local network could connect, or the owner could connect from home to check on his business.

Again, as much an insecure router problem as it is a too-smart-for-its-own-good device.

Slashdot and such has covered these Chinese DVR security holes for some time.

These are not just older ones but current ones. They make the boxes which are then sold under a wide variety of labels. The security holes are almost always quite simple. Connect via a certain port with a hardwired in root password. The owner is not told about this nor can they change it if they find it. It is quite clear that these backdoors are very, very deliberate. They might have been hoping for security via obfuscation. But it doesn’t take much for someone to grab the firmware off one of these and start probing around. The purpose the Chinese might put such backdoors to use for is frightening.

Unless your baby knows Arabic.

The way the world is going, it might be a good idea to teach him Arabic. And Chinese.