How Millions of Digital Home Devices Are Secretly Powering Cyberattacks

The Scope of the Problem

The Wall Street Journal reports on internet-connected devices - and how every year millions of them "can contain a secret digital backdoor that opens up access to your home internet, so that anyone... can surf the web as if they were you." This is especially true for "knockoffs that you buy online."

In a video report this week, they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers."

"Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." Remote visitors also tried to access Outlook and Gmail accounts.

The Business of Residential Proxies

Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks."

Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.

Evidence and Scale

After a couple months, the Journal's reporter collected logs of all the traffic and sent them to an investigator at Comcast, who said both were conducting DDoS attacks. Estimates for the number of infected devices range from as low as tens of millions to as high as 500 million-plus.

"We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."

But more importantly: "We have seen some of the largest computer attacks - meaning computers attacking other computers at human request - ever recorded in our digital history in the last several months."

Warnings and Responses

At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."

The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.

Community Discussion

IoT Segmentation

Needs to be easier for end users to create IoT VLANs with default restrictions. I am getting to the point where I want to segment my IoT VLAN into different trust zones. Unfortunately there is some crap that has to sit in the "Guest" VLAN (which doesn't address the concern in TFS), but mostly I try to eliminate such products.

Apple had a decent enough solution with their certification for routers for Apple Home being able to restrict how such devices behaved after end of support. But I remember only two or so routers that actually had that cert and at least one stopped getting firmware updates six years ago or something.

Despite having OpnSense as my router and a managed switch, for some reason I never considered separating things on my local LAN subnet until I was working on a remote backup PBS server I was going to put in my daughter's home and wanted it to by default VPN into my home, but I didn't want it to end up on my home subnet. Out came a separate subnet for a DMZ with no access to anything except me being able to access it. Once I did that, I ended up setting a guest WiFi VLAN, a second VPN subnet for remote access.

Practical Approaches

I periodically go through my network and enumerate every single device. Things like a picture frame do not get internet access. If a smart plug or light or other IoT device needs net, I won't buy it. My TVs don't get internet; they are either on a Roku or a Linux computer. Connected TVs send "home" screen shots. Roku can only scrape what I watch through them, so no need to take a screen shot anyway.

I had an Amazon Fire TV Cube with a third-party network dongle to get better bandwidth than WiFi. The dongle kept connecting to Chinese IPs, even when the TV was off for days. That's when I started locking things down. That dongle went in the trash.

If only more people were so nerdily inclined, this would be less of a problem. I wish.

Millions of customers do not care. Some time ago the Fire Sticks started to do more things in the background when you are not watching anything. Literally millions of people have them plugged in 100% of time. Almost nobody knows. I wonder if someone already found out what exactly Amazon changed.