Why is it easy to use 'smart' devices as weapons for cyber attacks?

A student types code on a laptop computer during a cyber-defense programming class at Korea University in Seoul on Nov 26, 2015.
A student types code on a laptop computer during a cyber-defense programming class at Korea University in Seoul on Nov 26, 2015. PHOTO: BLOOMBERG

SINGAPORE - Security experts have warned that unsecured "smart" devices like Webcams, routers and speakers could become a rising force of disruption, following two cyber attacks on StarHub that came from its customers' infected devices.

StarHub's home broadband subscribers could not surf the Web for about two hours on Saturday (Oct 22) and Monday.

These came on the heels of a similar attack on Oct 21 on United States-based Internet infrastructure provider Dyn.

That attack resulted in a massive Internet disruption on the east coast of the US, cutting off access to websites such as The New York Times and Spotify.

1. What is the significance of the StarHub and Dyn attacks?

The attacks confirmed longstanding fears that "smart" devices, also known as the Internet of Things (IoT), are a rising destructive force to be reckoned with. The disruptions are widely attributed to be the first IoT security breach.

The bigger issue is that this might just be the beginning.

A 2016 Ericsson Mobility Report predicted that these "smart" appliances and devices will reach 15.7 billion in 2018, exceeding the total number of mobile phones and computers, which are estimated to be 10.4 billion combined.

2. How were the attacks carried out?

In the US attack, a piece of malware called Mirai reportedly infected traffic cameras, which became "zombies" that overwhelmed Dyn's systems with Internet traffic in what was a distributed denial-of-service (DDoS) attack.

 
 

In StarHub's case, the telco confirmed that its broadband users' malware-infected devices like Webcams or routers triggered the two DDoS attacks on its network.

But its customers were totally unaware that their devices were infected.

Experts have not ruled out that the DDoS attacks on StarHub was caused by Mirai, as the source code of the malware has been released online.

3. What is the problem with these "smart" devices?

There is no regulation on how these devices should be secured. For instance, there is no mandate that the devices must be tamper resistant and the firmware locked down by encryption technologies.

Device makers are also not required to update their firmware regularly with the latest security patches or to alert consumers of such patches.

Many devices also come with default credentials and passwords that are rarely changed by users and can be easily hacked.

4. What can you do about it?

Consumers should change the default passwords provided by the manufacturers.

Set challenging passwords for all the "smart" devices and check with the manufacturers on how to download the latest security patches.

Trusted manufacturers do provide proper administration and management for their devices.