How to Locate and Use IoT for Hacking!
October saw one of the most serious instances of taking down of the Internet using Internet of Things (IoT) devices that disrupted some of the major websites such as twitter, CNN and GitHub to name a few.
It is something incomprehensible for the average Joe that an electrical Toaster could have brought down half the Internet that day. And yet, this is exactly what happened. The Distributed Denial of Service (DDoS) attack were launched not from hundreds or thousands of computers sitting on peoples desks but using microprocessors installed on Internet connected devices such as DVRs, Electric Toasters, Toys, Security Cameras, etc.
The mystery is not what was used for this attack but how hackers gained access to these unsecured devices on the Internet which has billions of IP Addresses. How could hackers locate these devices and use them for the attack!
It seems Hackers wrote scripts that used the “sh” command to search for IP Addresses and login to these connected devices using the username “root” and password ““xc3511” which is generally default password for most Internet connected webcams. These programs scan through open ports of thousands of these connected devices per hour and supposedly digging through IP addresses of devices that are hosted on Amazon cloud servers. Cloud servers are the ideal platform for launching DDoS attacks just as they protect websites, they can also be manipulated for carrying out attacks.
So if your Internet connected device is not secured properly there is a 100% chance of the device being hacked. What is most astonishing is that Hackers are now able to search and find such devices across the entire Internet and not just a few weak spots. They have the tools to do this.
Devices that hide behind a Wi-Fi router that is properly secure are less vulnerable as compared to devices that are directly connected to the modem or an Internet service such as in industrial automation. The bane of the problem is the use of weak and reused passwords that hackers can programmatically crack.
Source: Wikimedia Commons