This gives the hacker an incredible amount of power and can very easily lead to a massive breach of personal data. What's more, this kind of attack has once again shown that while the Internet of Things may be revolutionary, it isn't fully secure yet.
Generic IDs and passwords are an issue
The way this hack goes about gaining DNS changing abilities is by using brute force to attempt multiple generic passwords and IDs until the router opens up access to the cyber criminal. Trend Micro's experts have discovered that JS_JITON has more than 1,400 different combinations to try, many of which are standard factory settings. Many IoT devices ship out with either the password or ID being "admin," with other gadgets using this word for both.
One of the reasons for this has to do with testing and quality assurance, as company officials can't be expected to set up specific IDs and passwords for the multiple devices they test before shipping. Businesses expect end users to change these settings to their own personal preference, but this usually isn't what happens. People often don't know they need to alter these settings, which can leave them wide open to an attack.
Aside from knowing about this very common human error, the hackers behind these attacks also seem to know a lot about the hardware the average consumer buys. There are mentions throughout the codes to popular brand of routers, meaning these criminals have done their research on what kinds of hardware would yield the highest amount of targets.
This attack is proof that the IoT's security needs to be improved if it's going to be as widespread as many industry experts believe it will be. These devices, much like the routers involved in these intrusions, are often sent out with similar factory IDs and passwords, which makes them extremely vulnerable to attack.
Spoofing Wi-Fi networks is a problem, too
Another vulnerability that needs to be worked out before the IoT can flourish is spoofing. VentureBeat contributor Alexandra Gheorghe stated that many IoT devices often automatically connect to any Wi-Fi network that has the same name the gadget was originally set up on. This is called spoofing, and it's been done before. We've previously discussed a case where an IoT Barbie automatically latched on to any Wi-Fi network with "Barbie" in the name.
When this happens, the hacker has the ability to intercept any data the user sends via the spoofed network. While this might not have many uses for a child's doll, the implications for a hacked IoT home are much more serious. What's more, spoofing a Wi-Fi network isn't even that hard to do. There are a wide variety of Internet resources dedicated to this technique. In fact, many of these instructions are so comprehensive that even someone with the most cursory computing knowledge would be able to follow them.
Knowledge is power
As always, staying informed on these kinds of attacks is the best way for users to protect their devices. The JS_JITON intrusion relies on users neglecting to change router login credentials, and the spoofing interception exploits the safety problems with IoT devices. Users need to know that setting up unique, hard to guess passwords is one of the best ways to fend of cyberattacks.
However, those working on the IoT are going to need to realize that end users don't always follow these best practices. IoT devices are already making their way into many homes and many of these people simply don't understand the risk they're taking by not changing factory settings. Therefore, it's up to the knowledgeable IT experts creating these gadgets to come up with a fix that protects the data of their customers.
A solution could be as simple as including a prominent piece of paper within the device's packaging warning of the dangers involved in not changing factory login credentials. Regardless, the industry will have to fix these kinds of vulnerabilities before the IoT can be secure enough for widespread use.