printer friendly version

Ignore until sued

Recently, the world was witness to the largest distributed denial-of-service (DDoS) attack in history. Was this a nefarious plot against the world’s democracies? Perhaps a Western attack on a rogue nation? No, it was an attack on a web server belonging to Brian Krebs, security researcher and author. (You can find the story at https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/.)

According to Wikipedia, “a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.” (Read more at https://en.wikipedia.org/wiki/Denial-of-service_attack.)

The attack consisted of 620 Gbps being thrown at Krebs’ web server over a sustained period. The interesting and also frightening thing about the attack was that it was orchestrated with the help of a botnet – devices that have been compromised by malware. Krebs describes these as "Internet of Things" (IoT) devices, consisting of “mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”

We have mentioned IoT security in this column before, but it seems that many physical security companies are still living in a world where security is something they sell and not something they do. Not long ago we commented on the vulnerabilities in DVRs and cameras which had been used to launch attacks similar to this one – although not nearly on the same scale.

Well, it’s gotten worse. If your ISP provides you with a router, you can easily find the default passwords with a simple online search. The same applies to your surveillance camera and DVR and whatever ‘thing’ you have that has a password. Default passwords are a good thing. It allows installers to set up various devices easily and quickly, but they are meant as a starting point, not as an excuse for laziness.

(To be fair, I know that a few CCTV companies force you to change the default passwords when you install their products.)

I know passwords are a pain in the security, but they are there for a reason. Before the Internet you only had to worry about people on your network fooling around, today you have endless people making use of endless opportunities to hack. Whether it’s someone doing it for fun and just to see if they can, some teenager trying to prove how cool they are by breaking something, various layers of criminals looking for a quick buck (or to include you and yours in a botnet), or nation states spying on everything in existence because they can, you can no longer assume anything is secure. It is also incredibly naïve to think that if you are not famous nobody will try to take advantage. The Internet is the great leveller.

If a surveillance camera is a good enough target, so is your router at home and your CCTV camera and your cool gadget that switches the lights on when you’re close to home. When you take a step into the corporate world, things simply get worse. When your air conditioner is online so that a building management system can switch it on or off and save energy costs, will it be secured?

Insecure on demand

Like most people, I have a router at home that was supplied by my ISP. I use it to connect my computers and mobiles to the Internet, as well as cameras at home. I also use it to view the cameras in the complex I live in. Everything talks to everything very nicely.

I decided to see how secure my router was after reading this article. I shouldn’t have. I changed the default password as soon as my Internet was installed, much to the amusement of the technician who came to sort something out one day. Apparently that is seen as overkill by my ISP. Sadly, everything else is default and I can’t change it. I wouldn’t be surprised if the switches at my ISP had the username ‘admin’ as well as the password ‘admin’.

My router has no security. The default username and password to log into it remotely are hard coded (unchangeable). This is great if the original manufacturer in China wants to load the latest firmware onto the device (which of course they don’t), but the channel is there, wide open, it doesn’t even require an https connection – and you can’t change it to force https.

And by the way, the cameras and recorders in my residential complex are also set to their default passwords – and they are connected to the Internet. I was outvoted when I suggested changing them. Too much effort I guess.

Integration intershmashun

How often have you read about integration and the benefits of integrated security systems as opposed to standalone solutions? Hi-Tech Security Solutions has had its fair share of articles on this topic. We’ve even dared to speak about integration extending beyond the physical security market into the cyber security market. Next year we will get into that even more.

But I have to ask myself, which user, when purchasing an integrated solution of, for example, perimeter, intrusion and surveillance, thinks about whether the solution is secure from a digital perspective. Chances are the solution will be linked via an IP network and also connected to the Internet to allow the integrator or service provider to monitor the system’s health and the customer’s security in real time. Who else gets to have a peek?

Of course, the reason users rely on integrators and consultants is because they don’t have the knowledge to advise and design these systems themselves. The integrators and consultants are the ones who need to be aware of the dangers and advise appropriately.

The problem is the nature of the business where they want to get the job done and move on. Less effort means more profit. The bakkie brigade is renowned for this, but sadly, some of the more ‘respectable’ integrators follow the same process.

Viva users

Perhaps the solution to our lack of security is the user. They need to demand secure systems as part of their service-level agreement (SLA). This will terrify most integrators, but if there’s money at risk maybe they will pay attention to the basics. Changing the default passwords is not the ultimate security solution, but it makes it a bit harder for villains to control your devices. Taking care of other basic security processes will assist in making it even harder, and it will protect the customer from any backlash. The PoPI Act requires companies to make ‘reasonable’ effort to protect personal data, basic security processes are a huge step to such reasonable effort.

The idea of integration finds its Utopia in the IoT where everything is connected. The IoT will see the tiniest sensors sending and receiving data, as well as the largest things, like ships or planes (even more than they do today). It doesn’t require a doctorate in computer science to understand that the more connected devices there are, the more potential vulnerabilities there are. All it takes is one device, no matter how irrelevant, that is vulnerable and your whole network could be compromised.

Sadly, if the security industry’s performance to date is anything to go by, you don’t need to be a genius to find a physical security vulnerability, you can simply search for its default login credentials on the Internet and then access a device with administrator privileges. Leaving default passwords is akin to installing the latest security system in your car, arming it and then leaving the keys and remote on the roof.

Andrew Seldon

Editor

Share this article:

Further reading: