SINGAPORE: Infected Internet devices. Distributed denial of service (DDoS). Domain name servers. Internet of Things (IoT). The IT jargon may make little sense to the man on the street who just want the Web gadgets they buy to work and not have to worry about the accompanying security issues.
However, the reality today is that consumers do need to pay attention to cybersecurity and observe basic surfing hygiene that helps to keep cyber attackers at bay. After all, it was StarHub customers' compromised Web devices such as webcams and routers that were the cause of the spike in traffic that resulted in the two broadband service outages for the telco on Oct 22 and Oct 24, the company’s CTO Mock Pak Lum said on Wednesday (Oct 26). He added that “everyone has a role to play in cybersecurity”.
Thousands of devices were also recently infiltrated by hackers to attack US-based domain name service provider Dyn, affecting access to bigwig sites and services such as Twitter, Spotify and Reddit.
Channel NewsAsia spoke to the Cyber Security Agency of Singapore (CSA) and security vendors to find out why consumers in Singapore should care about the StarHub downtime and attack - which the CSA has said is a first of its kind in the industry - and how they can better protect themselves from unwanted cyber intrusions.
WHY SHOULD CONSUMERS CARE?
Mr Benjamin Ang, Senior Fellow of the Centre of Excellence for National Security (CENS) Cybersecurity Programme at S. Rajaratnam School of International Studies (RSIS), said consumers who have not changed the security settings on their Web-connected cameras such as a security camera or baby monitor should be “very concerned”. This is because these devices can be found and accessed by hackers using tools that are available online, such as Mirai.
“For the Dyn attack, the devices were only used as bots or slaves to attack a specific target, but they can also be exploited to spy on you or your family,” Mr Ang said.
Another security expert, Mr Nick FitzGerald, Senior Research Fellow at ESET, added: “Sadly, consumers should be very concerned because of the extremely poor state of security among IoT devices. Many - perhaps even most - of these devices are very poorly designed or implemented from a security perspective.”
Mr FitzGerald noted that the Dyn attacks were partially delivered through many devices by abusing unchanged default administrative account names and passwords, or backdoor accounts hardcoded into these devices.
“From a security perspective, both practices are incredibly foolish and lead one to wonder if security was considered in the process of product design at all,” he said.
WHY SHOULD MANUFACTURERS CARE?
With China's Hangzhou Xiongmai Technology implicated in having thousands of its devices used for the DDoS attack on Dyn, it is important for manufacturers to patch security flaws that allow hackers to bypass passwords, as well as to secure many smart devices that do not even have passwords, Mr Ang said.
“Manufacturers should be required to build in better security into their devices, and should also be responsible for solving security vulnerabilities as they arise,” he said, but added that this may in turn increase the cost that consumers may have to bear.
Mr David Maciejak, head of FortiGuard Lion R&D team for Asia Pacific at security vendor Fortinet, said if security is not taken more seriously by device manufacturers, the company predicts that in the near future, “hackers could target wearable IoT devices like smart wristbands, smart clothes, smart locks or even your WiFi-connected robot vacuum cleaner”.
A CSA spokesperson added that manufacturers should embed security-by-design in their products.
On the Government’s end, particularly with its aim to be the world's first Smart Nation, the CSA spokesperson said its systems need to be secure and resilient. “CSA has been working closely with the Smart Nation Programme Office to have security-by-design incorporated into Smart Nation initiatives. These include guidelines-based architecting and pilot cybersecurity solutions to strengthen emerging platforms,” she said.
HOW CAN WE PROTECT OURSELVES?
ESET’s Mr FitzGerald suggested three things to do, in order to better protect yourself from unwanted and unexpected cyber intrusions:
1. Check that your router does not have a standard password for the administrator account
“This is not the WiFi access password,” he explained. “Some manufacturers have changed from their earlier practice of using admin/admin, admin/(brand name), and the like, to using a device-specific password that is generated during production and is printed on a label on the box or device.
“These may seem like good, strong passwords, but they may be generated algorithmically and thus be more easily brute-forced as a result. Hence, I suggest changing even these kinds of passwords,” he said.
2. Make sure your router only exposes its administration interface on the Local Area Network (LAN) interfaceand not on its Internet (sometimes referred to as WAN) interface
“Some ISPs pre-configure the routers that they supply with this option enabled, so that their support staff can more easily help their customers. However, unless very strong passwords are used that are unique per customer, this is a security-compromising configuration,” Mr FitzGerald cautioned.
“If you care for your security and cannot disable this configuration option, you may need to consider buying your own router or even changing Internet providers.”
3. Perform the same kinds of configuration checks and changes on all your Internet-connected devices
“If you cannot easily fix these issues for some devices, consider replacing them or giving up the functionality they provide until a secure version is available on the market,” he suggested.
Another option: Disabling Universal Plug’n’Play (UPnP) on the router, so any unsecured or unsecurable IoT devices on one’s network cannot punch a hole through the router’s firewall, exposing their insecurities to the Internet. “This is how so many webcams were involved in the recent DDoS attacks,” Mr FitzGerald said.