Back in the 1990s when businesses started going online they frequently didn't realize that their new networking gear came with simple default passwords like "admin". So a whole generation of early hackers simply scanned the web for companies that had inadvertently exposed themselves in this way, siphoning off (probably, no one really knows) billions of dollars and causing various other kinds of mischief.
Now that process is repeating with the Internet of things (IoT). As pretty much every device in homes and businesses is imbued with sensors and connected to internal networks and/or the broader Web, hackers are exploiting the many resulting vulnerabilities.
But this time around it's personal, as formerly innocuous things like TVs, phones and thermostats gain cameras and microphones, creating all kinds of privacy issues – some of which are potentially (and catastrophically) financial. Here's a sampling of what appeared on the subject in yesterday's Wall Street Journal:
While Bea Lowick's customers were busy folding clothes last year, the security system at her Carbondale, Colo., laundromat was also hard at work.
Though she didn't know it, Ms. Lowick's Digital ID View video recorder was scanning the internet for places to spread a strain of malicious software called Mirai, a computer virus that took root in more than 600,000 devices last year.
Ms. Lowick, 59, said she wasn't aware the device was doing anything other than acting up. Her remote-viewing app kept disconnecting. She was able to reconnect it by restarting the digital video recorder.
"I would have to go in and unplug and plug in the DVR" to fix it, Ms. Lowick said, adding that she didn't know that unwanted software was to blame.
The culprit went unnoticed because Mirai usually doesn't take full control of its hosts but rather uses their computing power to attack websites, many of them halfway around the globe. Most victims aren't aware they are infected. Researchers at two independent security firms confirmed a device using the laundromat's internet address hosted the virus.
Bill Knapp, who installed the laundromat's surveillance system, said he learned of the virus after being notified by a reporter.
"One of the hardest parts of this business is that everyone loses their passwords," said Mr. Knapp, owner of Security Solutions LLC. When Ms. Lowick forgot her password, he said, Digital ID View would reset the DVR to its default password, "123456" -- a weak but common option that opens the door to attackers.
A wave of inexpensive webcams, thermostats and other internet-connected devices are hitting the market, many of them carrying minimal safeguards against remote hacking. Hundreds of thousands of these machines already host malicious software, unbeknown to their owners.
Security researchers are constantly finding new flaws in connected devices. Some allow voyeurs to peer into internet-enabled cameras. Others give hackers a jumping-off point to infect nearby computers where bank-account information and other sensitive data can be pilfered.
Researchers in recent weeks discovered a laundry list of vulnerabilities that leave web cameras and digital video recorders open to hacking, often because the devices continue to run outdated software.
Earlier this month, independent security researcher Pierre Kim named seven bugs afflicting more than 1,200 webcam models, allowing attackers to bypass firewalls, log into the devices with a preprogrammed "backdoor" account or watch a live stream of the cameras without signing in at all.
Mr. Kim advised owners of the affected cameras to immediately disconnect them from the internet, noting that hundreds of thousands of the devices are vulnerable to one bug and millions more could be accessed through another security flaw.
Manufacturers are expected to add another 2.5 billion connected devices, from laptops to lightbulbs, to the market this year, according to IHS Markit Research. Many are programmed to download the latest security updates out of the box, but others require their owners to do it manually.
To summarize, in today's world pretty much everything could be watching you and sharing that data with governments or hackers. And as embarrassing as it might be to have videos of your private habits appear on YouTube, having your finances compromised might be a lot worse. What if, for instance, your laptop watches you sign into your online broker, or your thermostat sees where you hide the next batch of silver coins?
The upshot: You can save lots of money and invest it brilliantly -- and still lose it to this new generation of predators. There are, however, some basic precautions that will help. Also from yesterday's WSJ:
How to Secure Your Smart Home
Spotting computer viruses is getting harder as threats spread from well-protected PCs and phones to cars and household appliances with fewer safeguards. Experts say it's hard for consumers to detect all viruses, but users can still follow a few low-tech steps to protect their homes.
Many computer viruses found on home routers, digital video recorders and cameras won't survive a hard reset. That is because the unwanted software lodges itself in the machine's temporary memory banks instead of its permanent storage. Powering off the machines if you suspect an infection can help clear the most basic malicious software.
Quarantine Before Curing
Malware can reinfect clean devices in seconds, so it is important to sever the machines' pathway to the internet before restoring power. You can still access the equipment's login screen over home Wi-Fi, but first you should disconnect your Wi-Fi from the internet to prevent instant reinfection. And many devices don't need go back online to work, even if they're internet capable. "Pretty much, if you don't need it or aren't using it, don't be afraid to turn it off, mute it or unplug it," says Yolonda Smith, product manager for security firm Pwnie Express.
Fix the Password
Before restoring internet access, use the machine's control panel -- accessible over Wi-Fi from any nearby laptop or desktop -- to reset the password. Some of the most powerful computer worms spread by exploiting devices' default credentials, which can be "admin" and "12345." A unique username and password will protect the machine from many of the threats plaguing the internet.
Most responsible manufacturers offer software patches once they're aware of a security vulnerability, but many companies leave it up to the user to take the initiative. If a company offers smartphone- or desktop-management software, download it and make sure automatic updates are enabled. Steer clear of any internet-ready device that isn't able to patch itself.
Batten Down the Hatches
Home routers usually ship with a preinstalled firewall -- an electronic barrier that filters unwanted internet traffic. But not all firewalls are of equal strength. Many homeowners can tweak their router or modem settings to apply stricter rules to suspicious internet traffic. If you're very worried, you can buy specialized firewall equipment, which has come down in price in recent years.