My Home Was Hacked!

Kaskade Home Hacked

I can’t tell my wife about any of the details of our new home security cameras from NEST. I fear that she’ll learn about the level of security associated with all my digital home product choices, and literally shut me down before I perfect all my possible security measures.

Take a look at this live preschool webcam here. If you catch it at the right time, you’ll see the room full of kids playing. It doesn’t take much to use the latitude / longitude within a given radius to search a select number of day care and preschool locations. I  narrowed this webcam down to less than 5 possibilities. I suppose the good side of this is that anyone can check to make sure the staff is working hard, taking care of our kids! The bad thing is that anyone has access to this day care in downtown Houston, TX. If you’re curious, take a look at the other 4400 unsecure webcams in the US by city on this site. If you’re real bored, you can use this IoT search engine, Shodan.io,  to find any unsecured device around the globe.

One can also direct their attack at a specific person. Webcam infections, like many other malware infections, can occur if you download a program that contains a Trojan. Trojans, unlike viruses, do not spread through replication. Instead, they’re hidden within programs that you install on purpose. When a webcam hack occurs, Trojan malware finds a way to activate cameras and control them without the owner’s knowledge. If you’re on a MAC, like I am, stare into the webcam on your monitor and ask yourself, “am I being watched?”. Just ask Miss Teen USA Cassidy Wolf about her compromised Apple laptop webcam.

There’s an old saying that we’re only as safe as the weakest link in the chain. That saying has real meaning with the Internet of Things, where one weak link (IPTV, smart coffee maker, etc.) can bring down a chain of connected devices…and/or your entire home network. Here’s a list of default usernames and passwords of a number of targeted devices, in case you’re ready to test your own home security.

Remember how easily Lakhani, security researcher at Fortinet, took control of a video camera? He said that gadget makers are partly to blame because they want to make their products as simple to set up as possible. That often means using default passwords like “admin” and encouraging users to log in to their devices through unsafe web accounts.

Here’s a list of the username and passwords of the most widely used webcams:

  • ACTi: admin/123456 or Admin/123456
  • Axis (traditional): root/pass,
  • Axis (new): requires password creation during first login
  • Cisco: No default password, requires creation during first login
  • Grandstream: admin/admin
  • IQinVision: root/system
  • Mobotix: admin/meinsm
  • Panasonic: admin/12345
  • Samsung Electronics: root/root or admin/4321
  • Samsung Techwin (old): admin/1111111
  • Samsung Techwin (new): admin/4321
  • Sony: admin/admin
  • TRENDnet: admin/admin
  • Toshiba: root/ikwd
  • Vivotek: root/<blank>
  • WebcamXP: admin/ <blank>

I include this list because, yes, I too was successful in hacking my neighbor’s webcam this weekend using one from this list. OMG!! In case you’re worried, here are a few precautions to keep your geeky neighbors off your home network.

Using your IoT device to hack into your home network

Fortinet researcher, Axelle Apvrille, found a Fitbit in her vicinity, and she used its Bluetooth connection to upload a small piece of unauthorized  software into the device. When the Fitbit was synched via Bluetooth up to a smart phone and/or laptop, the Fitbit sent software to the connecting device as it uploaded its data. Once this back door was created into their system, Axelle could can gain full access to the user’s machine. She demonstrated this simple method of using a consumer IoT device to gain access to your home system at a European computer security conference last year. It was the first time malware has been viably delivered to fitness trackers.

Using your IoT device as part of a Botnet

If you were anywhere near the internet in the US on Friday, October 21, you probably noticed a bunch of your favorite websites were down for much of the day. It’s all because thousands of IoT devices — DVRs and web-connected cameras — were hacked.

Once the hackers had control over these devices, they manipulated them into sending an overwhelming number of requests to a company that serves up the websites for Netflix, Google, Spotify and Twitter. When the traffic became too much to handle, the sites crashed. It was an old-school attack — often called a distributed denial of service attack, or DDoS — powered by the new web of devices called the internet of things.

To take over the cameras, hackers inserted Mirai, malicious software that lets bad guys use at least 100,000 devices as soldiers in its IoT army. The technical name for this IoT army is a botnet, and hackers have been making them out of computers for a very long time. Except this time they used internet of things – an even more powerful tool to carry out attacks. They used the botnet to send tons and tons of junk requests to Dyn, a company that manages web traffic for all the websites that were affected.

Integrity of Things?

The European Commission is now drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

The Wall Street Journal didn’t help my digital home efforts with my wife when they highlighted all my devices as security threats.

Arggg. We need a way to ensure the integrity of our IoT devices before I finish my home remodeling, and definitely before my home is hacked!

Jim Kaskade

Jim Kaskade is a serial entrepreneur & enterprise software executive of over 36 years. He is the CEO of Conversica, a leader in Augmented Workforce solutions that help clients attract, acquire, and grow end-customers. He most recently successfully exited a PE-backed SaaS company, Janrain, in the digital identity security space. Prior to identity, he led a digital application business of over 7,000 people ($1B). Prior to that he led a big data & analytics business of over 1,000 ($250M). He was the CEO of a Big Data Cloud company ($50M); was an EIR at PARC (the Bell Labs of Silicon Valley) which resulted in a spinout of an AML AI company; led two separate private cloud software startups; founded of one of the most advanced digital video SaaS companies delivering online and wireless solutions to over 10,000 enterprises; and was involved with three semiconductor startups (two of which he founded, one of which he sold). He started his career engineering massively parallel processing datacenter applications. Jim has an Electrical and Computer Science Engineering degree from University of California, Santa Barbara, with an emphasis in semiconductor design and computer science; and an MBA from the University of San Diego with an emphasis in entrepreneurship and finance.