Your Nanny Cam is sending me porn and your fridge is sending spam. Thanks for the porn, but keep the spam!

Far fetched? Not hardly.

http://arstechnica.com/security/2014/01/is-your-refrigerator-really-part-of-a-massive-spam-sending-botnet/

http://arstechnica.com/security/2014/01/is-your-refrigerator-really-part-of-a-massive-spam-sending-botnet/

In January of 2014 security firm Proofpoint sent out spam from 100,000 IoT devices to demonstrate it is possible and time to do something.

[stextbox id=”custom” caption=”Deviant eggs? Disgruntled milk? Sour kraut?”]”Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse” said David Knight, General Manager of Proofpoint’s Information Security division. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”[/stextbox]

https://www.proofpoint.com/us/news/press-releases/proofpoint-uncovers-internet-of-things-cyberattack

What does this mean to you, in English?

Well first sending out spam is not the worst thing that can happen, in fact it may be the least potential impact. What it means is the devices that are designed to make your life better are not secure.  That insecurity can cause dangerous, even life threatening, incidents.

Life threatening? Sounds like a comment from the looney bin doesn’t it. It may not be.

http://www.13wham.com/news/features/top-stories/stories/homes-still-dealing-frozen-pipes-20860.shtml

http://www.13wham.com/news/features/top-stories/stories/homes-still-dealing-frozen-pipes-20860.shtml

What should be of higher concern is a disgruntled employee compromising the thermostat of your apartment in Rochester, New York in dead winter, turning off the heat. This results in freezing all the pipes and enormous repair bills. Imagine your ex turning off your fridge when you go on vacation, or turning on your stove and starting a fire.

If that isn’t enough, imagine peeping toms turning on your smart watch, or security cam and watching you get dressed.

“SciFi,” you say? Not so.

https://www.yahoo.com/parenting/family-discovers-hacked-images-of-childs-crib-115679734177.html

https://www.yahoo.com/parenting/family-discovers-hacked-images-of-childs-crib-115679734177.html

https://www.yahoo.com/parenting/nanny-freaks-as-baby-monitor-is-hacked-109405425022.html

https://www.yahoo.com/parenting/nanny-freaks-as-baby-monitor-is-hacked-109405425022.html

The nanny to a one-year-old girl was going about her business Monday — changing diapers, playing with the baby – when she heard an unfamiliar voice come out of the family baby monitor. “That’s a really poopy diaper,” it said, apparently watching Ashley Stanley, the nanny, and little Samantha.

Right now perps are looking for nanny cams they can access. Some are broadcasting them after they gain access.

These invaders, perps and cyber criminals are not just watching, they are capturing the video stream and taking control of the camera to move it and focus it. It isn’t just deviants. Cyber criminals can also listen in to private conversations, focus in on your safe combo, read your mail, watch your child be breast fed and broadcast all that and on the web.

The worst part is you may not have any idea.

How do they do it? Anyone can just got to https://www.shodan.io/ and search. When a device is found, like your nanny cam or smartwatch, they only need user name and password. And they don’t have to know the password, they can just use an automatic program to keep trying different passwords till it opens. The device doesn’t object, and the owner may never know.

The real question, the unifying theory of cyber security, is why don’t we just eliminate the password all together? The password is the weakest link.

Coming soon… BPID password-free authentication.

KONICA MINOLTA DIGITAL CAMERAPaul Swengler is the CEO and principal of Bulletproof ID a password-free authentication system. He can be reached through www.bpidsecurity.com @bpids