cool hit counter The Hidden Cybersecurity Problems of the Smart Home_Intefrankly

The Hidden Cybersecurity Problems of the Smart Home

Text/ Xu Shengxiong (General Manager of Hanrhein Technology)

It is generally believed that home networks do not have any worthy targets for hackers, but the Mirai bot virus attack that occurred in 2016 significantly changed everyone's perception of security in the smart home.

In Mirai's case, the virus was able to successfully infect millions of home devices by constantly scanning for home IoT devices, such as wireless routers or cameras. The first generation of the virus was able to successfully infect millions of home devices by simply trying to log in using the default account passwords of connected devices, and used these infected devices to successfully launch large distributed denial of service attacks (DDoS attacks) against telecom operators. In the past DDoS attacks, usually hackers could only use thousands to tens of thousands of bot servers to attack, which could be successfully blocked as long as the operators isolated the IPs one by one; Mirai, however, can easily launch millions of devices and launch attacks with more than 1 terabyte of traffic, so much so that many operators are helpless.

In view of this, countries began to pay attention to the security of IoT devices, from the United States former President Obama proposed the "National Action Plan for Cybersecurity (Cybersecurity National Action Plan)", derived from the UL2900 security standard, to OWASP's IoT security top ten vulnerabilities, and Taiwan's Industrial Development Bureau and the Information Policy Council gathered the views of industry after the launch of the "video surveillance system network camera network security standards" is also officially on the road this year. On the other hand, security incidents such as webcams being implanted with backdoors and home router poisoning have emerged, and smart home security is gradually rising as a homeland security issue. For example, D-Link and Asus routers were sued by the U.S. Federal Trade Commission (FTC) in early 2017, and a settlement was reached later, but the extent to which the U.S. government attaches importance to smart home security is evident.

IoT devices will be the main target of hackers

Connected devices make threats ubiquitous, so why are hackers starting to target IoT devices? The reasons for this are as follows.

1. The number of isomorphic devices is large and worldwide, for example, once a brand of camera is cracked, other cameras are hacked in much the same way and can spread the virus quickly.

2. IoT devices are always connected to the network, so they are easy to attack and a perfect target to act as a springboard.

3. IoT devices have few computing resources and therefore cannot install traditional anti-virus or security protection software.

4. Most IoT devices do not have automatic software updates, and vulnerabilities on older software are easily infiltrated.

5. Most IoT devices support cloud and app connectivity, causing it to be easier for hackers to go for reverse cracking or cloud penetration from the app.

Readers may next ask why so many cyber security companies are unable to provide proper security. In fact, the vast majority of current network security protection technologies are still built on the basis of very old feature code scanning, the principle of which is to extract the behavioral characteristics of captured virus samples into a virus database, and then compare the incoming network traffic and packets. For example, when entering or leaving the airport, customs officers compare photos of wanted criminals and stop them if they look like them; However, if they are not already on the wanted list or have undergone plastic surgery, they will be able to pass.

The same problem is encountered with signature scanning. With the rapid change and spread of virus attacks nowadays, anti-virus companies are often too late to announce new virus signatures, or virus signatures are constantly morphing, and the world is scanned before virus samples are available, which is a zero-day attack. In addition, most of the CPUs and memory in IoT devices are equipped with minimum hardware specifications to cope with the devices in order to save cost, and it is difficult to accommodate a huge security protection software embedded, let alone space to store a huge virus database. Although some security vendors currently claim to use a cloud-based virus database, the scanning engine can simply be sent to the cloud for comparison, but this approach increases the traffic delay time on the one hand, and then increases users' doubts about whether their privacy has also been uploaded to the cloud, and still does not solve the problem of zero-day attacks.

Safety and security recommendations for smart homes

Just how did the hackers hack into these thousands of devices? Often they will procure target devices to test for vulnerabilities, most of which are weakly protected and have open extranet access, such as routers or webcams. Once an attack method is found, almost any device of the same type with inadequate protection will be added to the attack list, and hackers can develop a crawler that can automatically scan such IoT devices and then go around the network scanning them for extranet vulnerabilities; If they successfully hack into your home router or camera, these programs will then scan through your intranet to hack into other devices, making it virtually impossible to prevent them from doing so.

For the self-protection of smart home users, the author recommends the following.

1. Try to use European and American brands or Taiwanese brands that have a track record of exporting to the United States and are certified as better. Usually these vendors do not build backdoors and are quicker to release updated software or firmware when new security vulnerabilities appear.

2. Change the default password for all devices in your home to become a strong password, and it would be more secure if you could update it regularly.

3. Regular software updates.

4. Laptops and mobile phones in the home should be installed with closed operating systems as much as possible, avoiding open systems.

5. Be sure to turn off unnecessary cloud services and services that connect to your home device remotely from outside via an app, as these services are highly likely to be a vulnerability for hacking programs to infiltrate.

6. Do not open and reply to unknown emails, especially to confirm the sender's email address, as the sender's name can be spoofed, be sure to confirm the sender's address by clicking the right mouse button on the sender field, I often receive phishing emails disguised as Microsoft or Apple, asking for password confirmation.

In addition to grasping the above points, there are now many start-up cyber companies working on new IoT protection technologies. Take the "Dynamic Transformation" technology invented by Forceshield, a US-based start-up company, as an example. When a user browses a web page protected by Forceshield's gateway software, the original web page is garbled and different every time (Figure 1), so when it is used in the management page of an IoT device, the hacker's virus program cannot read the original web page content (Figure 2) and has to give up the attack. This technology is not only thin and light (less than 2MB), it can be easily embedded in IoT devices without the need to update the signature code, and the same technology can be applied to apps and cloud applications, which can block most bot virus automated attacks, and has been used by many large websites and IoT devices.

As the number of IoT devices continues to increase, it is urgent to strengthen the network security of smart devices. It is expected that more and more start-up companies will invest in IoT security protection in the future to meet the needs of users to use smart home devices with peace of mind.

(This article is quoted from Taiwan Security Knowledge Network)

1、A text recognition function in a few lines of code with the ability to convert to speech at the same time
2、Its said that the only new retail is fast Tsutaya Bookstore and 7ELEVEn dont think so
3、HNA Groups Digital Transformation of Financial Internal Control under Financial Big Data Supervision
4、China may overtake US in drones as more comfortable handing over its own data
5、QingYun Cao Dynamic Cycling Idea Sharing

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送