You are using an older browser version. Please use a supported version for the best MSN experience.

What's Attacking the Web? A Security Camera in a Colorado Laundromat

The Wall Street Journal. logo The Wall Street Journal. 3/20/2017 Drew FitzGerald

Replay Video
While Bea Lowick’s customers were busy folding clothes last year, the security system at her Carbondale, Colo., laundromat was also hard at work.

Though she didn’t know it, Ms. Lowick’s Digital ID View video recorder was scanning the internet for places to spread a strain of malicious software called Mirai, a computer virus that took root in more than 600,000 devices last year.

Ms. Lowick, 59, said she wasn’t aware the device was doing anything other than acting up. Her remote-viewing app kept disconnecting. She was able to reconnect it by restarting the digital video recorder.

“I would have to go in and unplug and plug in the DVR” to fix it, Ms. Lowick said, adding that she didn’t know that unwanted software was to blame.

The culprit went unnoticed because Mirai usually doesn’t take full control of its hosts but rather uses their computing power to attack websites, many of them halfway around the globe. Most victims aren’t aware they are infected. Researchers at two independent security firms confirmed a device using the laundromat’s internet address hosted the virus.

Bill Knapp, who installed the laundromat’s surveillance system, said he learned of the virus after being notified by a reporter.

“One of the hardest parts of this business is that everyone loses their passwords,” said Mr. Knapp, owner of Security Solutions LLC. When Ms. Lowick forgot her password, he said, Digital ID View would reset the DVR to its default password, “123456”—a weak but common option that opens the door to attackers. Compulan Center Inc., which does business as Digital ID View, said it was investigating the situation but didn’t believe its product was responsible for the problem.

“Within nine seconds of turning on these things, they get hit,” Steve McGregory, a researcher at security firm Ixia, said of machines that are poorly secured.

© Blake Gordon for The Wall Street Journal

A wave of inexpensive webcams, thermostats and other internet-connected devices are hitting the market, many of them carrying minimal safeguards against remote hacking. Hundreds of thousands of these machines already host malicious software, unbeknown to their owners.

As a result, the internet is constantly under attack, making websites harder to defend and raising costs for a wide range of businesses. The vulnerabilities are an open secret in security and technology circles, but there is no consensus on what to do about it. A handful of industry groups have agreed upon some basic principles to improve their products, such as automatic security updates, but compliance is voluntary.

The power of so many devices working in tandem became clear in October during an attack on Dynamic Network Services Inc., an internet-address service that helps run thousands of websites and is also known as Dyn. The assault made sites like Inc., PayPal Inc. and Twitter Inc. unavailable for hours.

The foot soldiers in that online campaign and many others weren’t desktop computers but security cameras and everyday electronics connected to the internet. Each day, networks of infected devices hurl waves of junk data at dozens of websites in an effort to knock them offline.

Security researchers are constantly finding new flaws in connected devices. Some allow voyeurs to peer into internet-enabled cameras. Others give hackers a jumping-off point to infect nearby computers where bank-account information and other sensitive data can be pilfered.

“The devices continue to function and that’s mostly what the owners are concerned about,” Ixia’s Mr. McGregory said. “Who’s responsible for it? There’s a line of people that you could look at and say, ‘You should probably do more.’”

The victims found in research from Ixia and from Qihoo 360 Technology Co. included an Altice SA customer in Brooklyn, N.Y., with a hacked video camera, and a Comcast Corp. customer in New Mexico who was part of a Mirai botnet found attacking at least three wireless operators in Liberia.

Denial-of-service attacks also leave collateral damage. Residents of Lappeenranta, Finland, learned that the hard way in November, when an attack on a British gambling website inadvertently knocked several digital thermostats offline, leaving many buildings without heat at the start of winter. The temperature controllers weren’t the source of the attack but acted as relays, wreaking havoc on their owners’ buildings in the process.

Jussi Rantanen, chief executive of Fidelix Oy, which automates building heat systems, said at least 40 devices in homes and businesses appeared to restart repeatedly during the assault. The problem could have been avoided if landlords had secured their connections, Mr. Rantanen said.

It took about an hour to fix the problem by finally disconnecting the thermostats from the internet, he said.

In the U.S., the Federal Trade Commission has tried to flex its muscles in court against some manufacturers.

It sued hardware maker D-Link Systems Inc. in January, accusing it of falsely advertising that its machines were secure despite several vulnerabilities. D-Link denied the allegations.

Netgear Inc., a router maker, issued a software patch in December after a researcher found vulnerabilities that could allow hackers to take over home networks. While some of its routers update automatically, making them more secure, that gives users less control over their networks.

“It’s kind of balancing both these requirements,” said Sandeep Harpalani, a Netgear project manager. ”Do you force it on the customer or do you give them a choice?”

Broadband providers say their hands are tied because their customers choose what to plug into the internet.

“We do beat on vendors, but we don’t have a lot of leverage,“ Comcast engineer Paul Ebersman said at Nanog, an industry conference, in February. ”We could name and shame, and we have lots of lawyers, but so do they.”

Susan Yarbrough, 63, a retiree who lives near Sparta, N.C., didn’t know until recently that her home network had been infected. She said she mostly used her computer to see her grandchildren on Facebook.

Shortly after Christmas, a technician from her broadband provider called to ask if she owned a Netgear router. The technician received a list of infected IP addresses through the Department of Homeland Security.

“Then I really got deer in the headlights,” Ms. Yarbrough said. “It’s scary to know that those things happen.”


More from The Wall Street Journal

The Wall Street Journal.
The Wall Street Journal.
image beaconimage beaconimage beacon