IoT’s dark side: Hundreds of unsecured devices open to attack
ATLANTA — A self-described security “amateur” discovered hundreds of Internet-connected devices ranging from cameras to industrial control systems that were connected to the Internet without even basic password protection — meaning they could be easily turned on and off or otherwise manipulated with a single click of a mouse.
“You would be amazed [what] you could find,” Espen Sandli, a journalist at the Norwegian newspaper Dagbladet, told the Computer Assisted Reporting conference Thursday. “The project was made from people who had no idea about data security at the start.”
They began by searching for basic security cameras, such as finding and taking control of a surveillance camera inside a nightclub. After that, they graduated to finding compromised control systems at military installations and railroads. In one case, they found a security company’s list of clients and passwords in the clear online. In another, they could have accessed who was allowed to enter or leave a military building. Another device on the open Internet could have allowed them to switch off a railway fire-alarm system.