Here’s an object lesson on the poor state of the so-called Internet of Things: Robert Stephens plugged a Wi-Fi-connected security camera into his network and it was compromised in… 98 seconds.
Stephens, a tech industry veteran, wasn’t so naive as to do this without protecting himself. It was walled off from the rest of the network and rate-limited so it couldn’t participate in any DDoS attacks.
He monitored its traffic carefully, expecting to see — as others have — attempts to take over the device. But even the most jaded among us probably wouldn’t have guessed it would take less than two minutes.
Ninety-eight seconds after it jumped on the Wi-Fi, the camera was attacked by a Mirai-like worm that knew the default login and password. The worm (its advance agent, really) checked the specs of its new home and then downloaded the rest of itself onto the device and, had Stephens not locked it down beforehand, would then be ready to participate in all manner of online shenanigans.
The camera, a cheap off-brand one from a company that sells smartwatches for $12, isn’t exactly best-in-class. This type of thing could be fixed with a firmware update or, in some cases, by simply changing the default password, but not everyone knows to do that, and even the most tech-savvy people might not get that done in two minutes.
Better-quality devices will almost certainly be better protected against this kind of thing, and may for example block all incoming traffic until they’re paired with another device and set up manually. Still, this is a good reminder that it really is a jungle out there.