Q. While I’m doing Thanksgiving tech support this week, how do I check for any hacked Internet-of-Things devices?
A. If you’re reasonably handy with computers, smartphones or tablets, providing tech help to family members has probably long since become a Thanksgiving tradition. But this year, you may find a different task on your to-do list: sweeping the house for hacked “Internet of Things” gadgets that strangers might abuse to snoop on your house or launch attacks against other sites.
Unfortunately, identifying a compromised camera or router is harder than spotting a computer that’s been taken over remotely. It’s not like you can run an anti-virus app on one of these connected devices.
“There’s not yet a directory of insecure devices,” e-mailed Kashmir HilI, the security and privacy reporter for Fusion who was among the first to call attention to this problem in a 2013 post documenting remote takeovers of “smart home” gadgets. “I usually tell people to Google the name of the device they’re considering + ‘hacked’.”
You can, however, easily check to see if your home’s Internet address appears in a database of publicly-accessible “IoT” hardware. Visit the “Internet of Things Scanner” page, maintained by the security firm BullGuard, to see if your location shows up in that list. This page can also conduct a direct scan for any gadgets with ports open to the Internet.
That page probably won’t report any issues, but even if it gives an all-clear you’ll still want to check up on any devices in the home.
As experts advised USA TODAY’s Elizabeth Weise last month, you should start with the wireless router, which controls every other connected gadget’s Internet access.
Log into its settings interface (in most cases, by typing a numeric address into a Web browser, which you’ll have to look up in the router’s manual) and then make sure its admin password isn’t some default, obvious item like “admin” or “password1.”
If you see an option to control your router remotely over the Internet–as opposed to restricting that access to your home network–you should disable it. Finally, install any firmware updates available for the router; that, too, may require consulting its manual to see where its settings interface hides that option.
With individual cameras and other IoT hardware, the current risk is a default login that can be exploited by the “Mirai” malware responsible for distributed denial-of-service attack that kept many big-name sites unreachable for hours last month.
Most of the devices targeted by Mirai were sold to industrial or office markets, but you should check the list posted by cybersecurity reporter Brian Krebs. His own site was an early target of a “DDoS” attack by Mirai-infected gear.
As malware goes, Mirai isn’t hard to kick out. At a conference in Washington last month, Akamai security researcher Ryan Barnett noted that, unlike other viruses, this one can’t survive a device’s reboot. Do that, then change its password through whatever interface is available–which could be a mobile app or a Web page.
But some attacked devices have hardcoded passwords that Mirai is programmed to attack. “In that case you’re stuck taking the device offline and hoping for a recall,” said Stacey Higginbotham, a journalist who has covered this field for years.
If you’re in doubt–for instance, if you find a no-name connected camera with scant documentation–you’re safest unplugging the thing. That may very well be the case: We’re a few months away from getting something as basic as an Underwriters Laboratories cybersecurity label to guide our shopping.
If you luck out and find no connected device at any risk, your tech-support work probably isn’t done yet. Please consult last year’s cheat sheet, just about all of which still applies, as you go about that. Then feel free to take the last slice of pie.
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at [email protected]. Follow him on Twitter at twitter.com/robpegoraro.
