Security expert Max Eddy doesn’t want creepers spying on him (or his dog) through insecure hardware, but that’s not why he doesn’t have internet-connected cameras in his home.
By Max Eddy
My partner and I recently got a dog, which for millennials is about the same as saying we had a child. Now, we already had, and still have, other pets in our home. Our mischief of adorable, pink-nosed rats may vary in size, but it’s been a constant in the lives of my partner and myself for nearly a decade. The thing about rats is that they are as happy in a cage with their rat friends as they are with you. Dogs, on the other hand, aren’t happy when you’re gone, and as a result, you’re not happy either. When we got the dog (whose name is Lulu and she is the best dog by any and all objective measurements), my partner suggested that we get a webcam or video baby monitor so we could keep tabs on our canine child while we were at work.
I admit I was tempted. As I mentioned, our pets fill the roles of children for us, and I spend a not-insignificant amount of time fretting about my animals when I’m at work—especially during New York City summers, which combine the heat of Death Valley with the sickening humidity of an armpit. Despite those worries, I was uncomfortable. My partner is very well aware of my paranoiac tendencies, and after we had a talk about it, we’re agreed: We won’t have a security camera in our house.
It’s not, as you might think, because I am afraid of hackers watching my intimate moments or intelligence agencies hearing my every word, although those are real threats. No, my concern is that any internet accessible device on my network could be hijacked and turned into a weapon of online mass destruction.
The Creepy Hacks Are Real But Avoidable
We’ll get to my fears, but first I must acknowledge that, yes, creepy stuff does happen with IoT devices, and it can be really bad. On its own, it’s a valid reason to hesitate before getting a web-connected camera or baby monitor.
Stories abound of people hearing the voices of creepers coming through their baby monitor or discovering that someone has used the camera in their computer to capture embarrassing pictures. One particularly insidious practice is called “sextortion,” where an attacker threatens to release embarrassing photos taken from a hijacked webcam (which he may or may not actually have) unless the victim provides sexually explicit material. This is disgusting on its own, and the fact that young people are frequently the targets of these attacks is deplorable.
Attacks this heinous are usually hard to carry out because they require targeting a specific individual, but the poor security pedigree of many Internet of Things devices, including some security cameras and connected baby monitors, makes them easier marks. If you want to find a target, you can take a look on Shodan—a search engine of devices connected to the internet. Attacking a specific person would likely involve physical access to the device or carefully constructed phishing attacks, but Shodan can probably connect you with an unwitting if somewhat random, victim.
These gross, invasive attacks are a real threat, but they can also be mitigated without a lot of technical know-how. A simple piece of tape across a lens or a dry washcloth thrown over a device can render a camera completely blind. Baby monitors can be disconnected—or better yet, not allowed to connect to the internet in the first place. I can handle that on my own.
What Really Scares Me
One Black Hat presentation has always stuck with me. The presenter demonstrated how he could take control of a connected security camera. That’s scary, but what got me was the presenter’s point that these cameras were just small Linux computers and could be used to do anything an attacker wanted. He also claimed that the vast majority of the cameras on the market had major flaws.
A few years later, smart home devices started to hit the shelves, and I kept hearing from security companies that they were really worried. They had the same concern as the Black Hat presenter; that it might be possible to hijack a smart device and to use it for all kinds of nefarious purposes.
Not long after, those fears became reality, and it was worse than expected. The Mirai malware automatically scanned the internet for available connections and then used a battery of attacks to break into the IOT device, all without input from a human. Mirai targeted devices running embedded versions of Linux, from TVs to routers, and was able to assemble a sizable botnet. It was big enough to take down a DNS provider, which in turn caused sites like GitHub, Netflix, and Twitter to be unavailable.
Mirai was just one example, but it has come back again and again. According to Wikipedia, variants of the Mirai malware have been spotted several times within the last year, with some sightings as recent as February 2019.
Mirai was limited to just a handful of devices, but it was still brutally efficient. What would be worse is an even more advanced attack-perhaps less automated, perhaps not-that could leap from an infected lightbulb to my router, and then in turn to every device on the network. This would make the IoT device a beachhead or foothold, so the attacker or malware could “pivot” into the more valuable network.
Granted, there have been improvements in connected cameras and baby monitors, and IoT more generally, but the industry still needs to do more. Companies must ensure that their devices have survived a battery of tests to probe for weaknesses and at the very least should include a mechanism for updating or replacing devices that are found to be vulnerable. Vendors need to assume their devices will be attacked, build in security features, and remember that their products aren’t always user serviceable, some of them lacking screens or any kind of interface.
There are some precautions available to regular people, too. You can look at purchasing IoT security devices such as the Bitdefender Box or routers with security software built-in. (This last one is significant when you consider that a router, like an IoT device, is just a computer that could be used for evil.) You can ensure that your devices are up to date with the latest software patches and change any default passwords. Still, that only goes so far. There’s almost no way to tell from looking at a box whether the security camera inside uses signed code in its updates, or whether it has hardcoded credentials that are invisible to the user and a potential backdoor for attackers.
It’s notable how a lot of that advice, and much of security in general, is couched in the idea of personal safety and responsibility. You need to protect your machine and your personal information. As was the case with Mirai, a successful attack on me can quickly turn into an attack on my family, my friends, my community, and people I will never know. That’s not only going to cause some trouble with my ISP—it means I’ve unwittingly hurt the people around me. Putting a security camera in my house isn’t just a risk to me, it could make others a little less safe, too.
This reminds me of the concept of herd immunity: when a high enough percentage of a population is either immune or vaccinated against a particular disease, no one gets sick. The population protects one another by making it impossible for contagions to spread.
Lulu, the best dog, is still struggling to be comfortable alone. We recently got her a crate cover, because dogs apparently are naturally drawn to a dark, safe, den. Instead, she pulled the cover through the bars, balled it up, and slept on it. I’m still struggling, too, but I know the solution is more training for her and for us, not a camera that will just tell me what I already know.
Whatever tiny assurance a security camera would give me isn’t worth potentially being a part of a devastating attack. It would put my own peace of mind above others, and that’s not a trade I’m willing to make. IoT technology is improving, and there are better tools to protect these devices, but it’s still not enough for me to feel comfortable. I’ve started to think of the devices on my network as my responsibility, for my sake and for others, and to me, these devices are a risk I’m not yet willing to take.
Originally published at https://www.pcmag.com on June 20, 2019.