BERLIN – The Internet of Things is a bigger danger than most people realize: Pretty much all home Wi-Fi routers can be hacked, which is a problem if you’ve already adopted connected light bulbs and faucets.
Gene Bransfield, a cybersecurity expert from Washington, recently built a gadget he calls the WarKitten. It’s a cat collar equipped with a Spark Core Wi-Fi device and a GPS module. Bransfield put the collar on a Siamese cat named Coco and let him roam the neighborhood, all the while mapping the available Wi-Fi networks.
The gadget found 23, more than a third, using obsolete Wired Equivalent Privacy encryption for network passwords instead of the more up-to-date Wi-Fi Protected Access. Tutorials on how to break WEP encryption abound on the Internet.
Bransfield was to demonstrate his cat gimmick last weekend at the Black Hat security conference in Las Vegas. The keynote speaker there, Dan Geer, who works for the U.S. Central Intelligence Agency’s venture capital arm, has already said that home routers could be used to create a hacker-controlled botnet that “could probably take down the Internet.” Router botnets have already been built — just for experimentation’s sake.
DEFCON 22, the hacking convention that started in Las Vegas, features a router-hacking challenge called “SOHOpelessly Broken,” where SOHO stands for small offices and home offices. The prize for demonstrating a previously unknown vulnerability in a commonly used router is $500 plus accommodation at next year’s DEFCON. Presentations on how to break down router defenses have been commonplace at security conferences for years. In 2011, a group of hackers in Brazil subverted 4.5 million Wi-Fi routers, stole users’ personal information and spent their ill-gotten wealth on prostitutes in Rio de Janeiro.
As cybersecurity expert Bruce Schneier pointed out, the routers are often made with cheap components, programmed sloppily just so that everything works, and released into the stores. There is no incentive for the manufacturers to update the firmware, which is often years older than the hardware on which it runs. Since manufacturers don’t track the devices, the only way to install patches when they are released is to do it manually.
When was the last time you did this, or even checked the availability of new router firmware?
Until recently, the vulnerability of home and small office routers was not a huge problem. There’s nothing much to steal on an average home network, except perhaps some personal information like credit-card numbers and unencrypted passwords kept in a file so you won’t forget them. The best way to protect such data is to store them only in your wallet and your memory.
As for router botnets being used for an Internet-crashing attack, that is, at least for now, the stuff of sci-fi novels.
Routers’ inadequate defenses will become a major problem, though, when homes fill up with connected devices like thermostats, smoke detectors, faucets, locks and light bulbs. Each of these devices can be hacked individually — as in this example involving connected lightbulbs — but why go to the trouble when one can easily hack the router at the center of the home network? The attacker can then do whatever he or she wants to the “intelligent home” — unlock it, flood it, send out an alarm to the owner when he’s in an all-important meeting.
“We have to put pressure on embedded system vendors to design their systems better,” Schneier wrote. He called for automatic updates to router firmware and third-party security software that could run on them. All that will take time to put into practice — and may require too much end-user education to make it practical. Now, most people just pick the cheapest Wi-Fi hub or use the one provided by their cable operator, which is not particularly interested in securing the equipment.
So, until router makers are somehow persuaded to take security more seriously, it’s the user’s job to stay safe. That means avoiding connected devices that can unleash havoc in a house if used maliciously. If the tradeoff is between turning on that tap by hand and risking a hacker-induced flood, the choice is clear.
Leonid Bershidsky (email@example.com) is a Berlin-based contributor to Bloomberg View.