SECURITY
ISSUE385|COMPUTER SHOPPER|MARCH2020
Morerecently,Hacker Giraffe
exploited aproblem withChromecast
and smart TVs that exposed them to
theinternet viaUPnP, to playaYouTube
videofrom socialmediastarPewDiePie.
Thatmight notsoundso bad,but
whatif thehijackplayedavideothat got
Alexato callanumberto letahacker
listen towhat’sgoingon,orbereally
annoyingandsetan alarm togooffat
4.30am every morning?
Anydevicethat actuallygetsinfected
canthenpose abiggerrisk, asitcanuse
UPnPtoopenupmoreportsanddevicesss
in yourhome forfurtherattack.
How,then,doyou protect yourself agggainst
thiskindof attack? Fortunately,thereare
severalstepsyou cantake.Thefirstisto
disable UPnPin your router.Thiscanstoppp
somedevicesworkinguntil youmanually
configureportforwarding,buttheextra
securitycanbeworthit.
To dothis, gointoyourrouter’sweb-based
management consoleand lookfor theUPnP
setting,which isoften buriedintheAdvanced
settings. WithourNetgearOrbi router,the
UPnPpage hasaclear TurnUPnPOn tickbox;
removingthetick turnsthe serviceoff.
Usefully,our routeralsoshowsthelistof
existingUPnPports andtheIPaddress that
requestedthem. In ourcase, all UPnPrequests
areforthedeviceat 192.168.0.150.Aquick
checkof theDHCP address reservation lists
showsthat thisisourSynologyrouter.So,we
actually haveachoicehere.We candisable
UPnPtopreventfuturedevicesopening ports,
butwe canalso leaveitturnedonbutdisable
thefeaturesin theSynology NASthat have
allowed this,suchasremote webaccessand
thefile-sharingservicein ourcase.
Ifwedisable UPnP, then we haveto
remembertore-create therulesthat are
theremanuallyifwewanttokeepusingthe
serviceswe have turnedon.
UNPLUGGED
The next stepthat youshould takeis to
audit thedevices youhavethat areinternet-
connected, and then work outif you wantto
leave them thisway.F
an oldsmart TVbutyounolongeruseits
smartfunctions,then you mayas well
unplug it from theinternet.Do this for
everything in yourhome.
Next, foranydevice thatyou’veleft
pluggedin,you need to performyour own
securityaudit.Whatyou needtodoislook
at howthedevice isaccessedand controlled,
andchangepasswordswhereyoucan.
Forexample,if youhavean oldersecurity
camerathat youset upmanually,a till
runningthedefault usernameand
onit? Ifyouare,it’stimetochange
However,this may notalwaysb
possible.Forexample,smartTVs
don’tgive youthesame options,
so you’repretty muchstuckwith
what you’ve gotin thebox.
Finally,takealookat your route
toseeifithasoptionsforsecurity
that you canturnon.With
modernsystems, such asthe
Orbi,youcanturnonmalware
checking foramonthlyfee,
which will lookoutformalicious
attemptstohijackor controlesonyourhome network. It’shardtoput
figureontheefficacy ofthese systems,
butthat extra layerofdefencewill prevent
someattackshappeningand givesyou
that extralayerofsecurity.CLOUDED VIEW
Manyof today’ssmartdevicesare
controlled viaacloud service,through
asmartphoneapp. Forexample,if
you’reawayand turnupyour Nest
Thermostat,therequestis funnelled
throughNest’scloud service.
Insomeways,thisis moresecure
thanhavingadirect connectionto
thedevice you’recontrolling,but
whathappensifyourNest account
(or otheraccounts) ishacked? Thiswill
then givehackersdirect controlover
vicesin yourhome.
amantha and LamontWestmorelandfrom
aukeediscoveredwhathappenswhen
their Nestaccountwashacked.Theyfound
thattheir heatingwasbeingturnedupand
thatthecameraintheir housewouldspeakto
themand playvulgarmusic.
Googlehassaidthat this is theresultof a
compromised account,ratherthan adirect
attackonitshardware,butitdemonstrates
theimportanceofprotectingyourcloud
accounts:see thenextpagefor more
informationonhow to dothis.
are you still
password
ethem.
beer73
ABOVE:Routers will let you disable UPnP
Forexample,if youhavedevice
a
b
s
tt
dev
Sa
MilwaRIGHT:If adevicecan’tbeattacked
directly,youraccount can be targetedABOVE:If your router haaaasaddddditional security settings,
you may want to turntheeeemonnnnto proteccttttyour home