Scientific American - February 2019

72 Scientific American, February 2019

THE INTERSECTION

    S    A  S     

Illustration by Jay Bendt

Zeynep Tufekci is an associate professor at the

University of Nor th C arolina, whose research revolves

around how technology, science and society interact.

Zombie Baby

Monitors Attack

It’s a malware-eat-malware world

By Zeynep Tufekci

aa man eice come with chips and are connected to
the Internet—the so-called Internet of Things. The smart fridge
that alerts you when milk is low or adds it to the shopping list—
maybe even orders it from the grocery app! The air conditioner
that anticipates when you want the house cooler for a run on the
treadmill but turns itself down when you’re out at the movies. A
baby monitor that tells you when it’s time to stock up on teething
gel: the little one has been tossing and turning a little too much.
It sounds useful and wondrous. It’s quite possible, however,
that your Internet-connected baby monitor instead spent last
night teaming up with millions of other devices—cameras, print-
ers, routers, speakers, air conditioners, DVRs, and more—to cen-
sor journalists; take down music, social media, or movie sites such
as Twitter or Netflix; sabotage open-source software projects;
knock almost a million German houses off-line; or bring down
cell-phone communications in Liberia. With all this extra stealth
activity, it’s also running up your electricity bill.
Wait ... what? The problem is painfully simple and terribly
thorny, and it is as much about globalization, law and liability as
it is about technology. Most of our gizmos rely on generic hard-
ware, much of it produced in China, used in consumer products

worldwide. To do their work, these devices run software and have

user profiles that can be logged into to configure them. Unfortu-

nately, a sizable number of manufacturers have chosen to allow

simple and already widely known passwords like “password,”

“pass,” “1234,” “admin,” “default” or “guest” to access the device.

In a simple but devastating attack, someone put together a list

of 61 such user name/password combinations and wrote a pro-

gram that scans the Internet for products that use them. Once in,

the software promptly installs itself and, in a devious twist, scans

the device for other well-known malware and erases it, so that it

can be the sole parasite. The malicious program, dubbed Mirai,

then chains millions of these vulnerable devices together into a

botnet—a network of infected computers. When giant hordes of

zombie baby monitors, printers and cameras simultaneously ping

their victim, the targeted site becomes overwhelmed and thus

inaccessible unless it employs expensive protections.

To make things worse, the authors of Mirai released the source

code shortly after their debut censorship attack on the Web site of

Brian Krebs, an Internet security investigative journalist. Now

even people with rudimentary levels of coding skill can assemble

their own giant zombie botnets. There are also “peeping Tom”

sites that randomly scan for, and easily find, cameras with these

simple, known passwords and stream their feed to the world.

What’s the fix? You might have noticed that phones or laptops

occasionally need software updates. These introduce new features,

but they also often patch bugs and fix software vulnerabilities.

Alas, most devices vulnerable to Mirai were also shipped with no

feasible or easy way to update or fix them.

I babysat various computer networks to pay for college, and the

passwords that Mirai uses would be the same combinations I’d try

when faced with a device with an unknown login. That this is still

true so many years later points to the actual problem: nobody is

minding the store. Indeed, why bother? For manufacturers of chips

or devices, there is often little to no downside to shoddy security.

There is no authority with teeth and no clear law outlining lia-

bility from harm caused by such blatantly negligent security prac-

tices. The original authors of Mirai appear to be U.S. college stu-

dents who eventually pled guilty after being caught, but that’s

mostly irrelevant. As long as there are large numbers of devices

with the “admin/admin” username/password combination, some-

one would have done this eventually. The bad news is that there

is no real solution to Mirai except waiting for existing vulnerable

devices to degrade. The good news is that if a few device makers

who shipped “admin/admin” gadgets were forced to pay hefty

fines or if parents of a hacked baby monitor could sue manufac-

turers or sellers, security would probably improve rapidly.

The Internet of Things promised us great wonders, but I’d

like them to be less exciting. It’s time to make baby monitors bor-

ing again—and go back to worrying about the little one’s teeth-

ing rather than his or her security camera joining a zombie bot-

net and wreaking havoc across the globe.

  SA 

Visit 2_w²íˆ_Ĉ¬wޝ_C² on Facebook and Twitter

or send a letter to the editor: e it r   ciamc m

© 2019 Scientific American