The Insecurity of Things: Part 2 – Wagging the Dog

A man is sternly lifting his index finger next to a Scottie dog that is looking away.

Sit, Ubu, Sit…(ruff)…good dog.

NOTE: This is part 3 in a series about the recent DDoS attacks using Internet of Things enabled devices. We look at where manufacturers are culpable in this latest attack.

The Insecurity of Things:
Part 1Look into the MiraiAn overview of what happened
Part 2 – Wagging the Dog – What Mirai is really about – security and secure passwords
Part 3A Manufactured ProblemThe ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do

Yesterday, I wrote in part one about the DDoS attacks that we’ve experienced in the last month and what went down to make them happen. In part two, I want to expound on one of the ways we can work to mitigate and or prevent this from happening again: secure passwords and better security.

I subtitled this ‘wagging the dog’ because I feel that’s what’s been happening in the media. They are focused on the result and not the problem.  A lot of the titles included phrases like ‘IoT botnet’, ‘Mirai uses IoT to attack’, and the like, putting the focus on the types of devices used, rather than how Mirai gained access. This is about security and proper password and credential management. Period. In the third paragraph of a post on a site called Threat Post, they say how it happened (emphasis mine):

Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks.

‘Known default or weak credentials’. That was the big contributor to this attack. IoT is the tail. Credentials are the dog. Passwords and usernames were easily guessable. If you’re using one of these 25 common passwords or equivalents, this could have happened to you. Brian Krebs wrote an article after he was attacked about the devices that were identified in the source code of Mirai, the botnet. Here is an image from that article showing the 68 devices, and their credentials:

List of devices attacked in Mirai botnet attack with default usernames and passwords.

From Brian Krebs’ follow up piece on the Mirai DDoS attack.

IoT is the tail.
Credentials are the dog.

It starts with a mind shift. We’ve been thinking about Internet of Things devices as devices that we can access from our phones and control and get data from. Maybe that mindset is the problem. Before, when using my coffee maker, I didn’t have to have a password. So, here’s how I would encourage you to think about Internet of Things and smart home devices: Think of them as physical applications, equivalent to your app for banking or your app for your email, that need the same level of security. Rather than these physical apps being on a computer or phone, they have a real world presence that needs security. This is the most prominent example of our physical and virtual worlds co-mingling. You lock your door with a unique key, why wouldn’t you lock each device with a unique password? In part three, I’ll address what vendors need to do about their default passwords, but today I’ll take a look at what we can do once we own these devices.

What can we do about this?

You’ll note from the list the onus is on the users and manufacturers of these devices. Simply put, when installing a new IoT device, NEVER use the default password and username for it. Using simple passwords like ‘password’ or ‘1234’ are bad ideas when you’re using them for your online accounts, but even worse when you use them for internet-enabled devices like cameras and DVRs. First and foremost for your devices, make strong passwords and change default usernames. Most consumer grade devices have graphical user interfaces for you to work with and change your credentials. In fact, should a REALTOR sell a home with smart devices in it, they should work with the new homeowner to reset ALL of those devices.  At CRT Labs, we worked with the Online Trust Alliance to produce a smart home checklist last year. Use this as a way to ensure you are securing these smart devices.

Stronger, better passwords

TLDR; Chris and I spoke about this in our office hours a couple of weeks back. You can take some time to watch that video here (go ahead, I’ll wait):

What is that? Your kid's birthday and pet's name for your bank password?? Why don't you just hand me your wallet and get out of my way!!!!

“What IS that?? Your kid’s birthday and pet’s name for your bank password?? Why don’t you just hand me your wallet and get out of my way!!!!” (Image found here.)

Okay, before we get started on this, I want you to think about me as a password personal trainer. The equivalent Jillian Michaels preferably. I will push hard on this. I’m going to ask things of you that you know you should be doing, but haven’t because ‘it’s not easy’ or ‘it’s hard to remember’. Listen, the Internet of Things is coming and you need to get in this habit because there will be BILLIONS of these devices in about 4 years time. Anytime you use an insecure password, you are not just exposing your information, but potentially, personal information about your clients. How many documents, contracts, or pieces of personal information of your clients do you have in your email? You need to think of your passwords as you do your keys or keys to a home you’re showing. You don’t just hand those out willy nilly or make them flat because ‘getting the notches cut means I have to go to the hardware shop and I only like the way that Eddie cuts the keys but Eddie only works on Thursdays’…do you? If you do hand them out, can I have a key? Sorry, got a bit side tracked. So, what do you do to protect yourself? Here is what you do.

Stronger passwords. Period.

Rather than using personally identifiable information, make your passwords tough. I mean really tough. So tough, you have to change how you think about passwords to remember them. Let me give you some easier to remember examples, followed by harder to remember examples.

So, here is how I like to think about my ‘easier’ passwords. I will take either a song, poem, book or other source material and I’ll look for a line or two that I can remember or memorize. Then what I’ll do is condense that to some letters, numbers and punctuation or symbols to make a password. Let me give you an example. Robert Frost is a poet we all know. The Road Not Taken seems like a good teaching poem for this. Here are the first couple of lines from that poem (please don’t use these two lines to make your password now):

Two roads diverged in a yellow wood,
And sorry I could not travel both

Okay, so, here is what I would do with this:


So, to show you how I put this together, I’ve taken the line of poetry and added highlighting to show what my thoughts were:

Two 2 roads diverged in a yellow wood,
And sorry I could not travel both *1920

You’ll note that I changed the word ‘Two’ to ‘2’ and used the whole word of yellow. I did these to mix it up a bit. The *1920 is also there to add some complexity. The year 1920 was the year this poem was published. I added the asterisk to put another character in there. Please note, this is a minimum I would do for a password. I’m using it for demonstration. The next section will show you how to generate and store more complex passwords using a service.

Get a Password Manager

One of our big recommendations are password managers. Password managers are applications that you use to store your credentials for your different applications. You have 1 master password (and you don’t want to forget it because if you do, you essentially are locked out of your password manager and can’t get back in. You can use the technique above to generate that password.). That password is used to unlock your vault of passwords and other sensitive information. Many of these apps make it extremely easy for you to add passwords from all of your accounts.  I use one called 1Password. You can find many that were recommended and reviewed by PCMag this year at this link. And guess what, you may have to spend some money. 🙂

Many password managers offer a password generator as part of the software. Here is a password that 1Password generated for me (I’m not using it anywhere):

Here is an image of that password being generated:


To the left, don’t use those. To the right, use that..

You’ll note from my password manager, I can change the number of characters, symbols and numbers and I can also see how strong the password is. My password manager has a browser plugin that makes it easier for me to use these devices on the web. Look at the list provided by PCMag and you can see if there’s one that meets your needs.

By the way, I want to be clear that the responsibility for password security isn’t JUST on you. If you have a bank or service provider that has limits on what you can enter as a password (example, no symbols, or all upper case or no upper case), don’t worry about changing your password. Worry about changing that bank or service provider.

Two-Factor Authentication

Finally, the next step in securing your devices is two-factor authentication. We will dive more into this in a later post, but this is a start. To see if your applications (banks, Dropbox, Google) support 2-factor authentication, you can use this link and search for a specific program. This is where you take something you know (a password) and something you have (a phone) to gain access to applications. In order to do this, you can download apps for your phone, like Google Authenticator. After you’ve set up 2-factor authentication, here’s how it works:

  1. You login to the site with your username and password (what you know in the 2-factor auth scenario).
  2. The site prompts you to enter a number (typically a 6 digit number) that you will receive either via email or sms or other means.
  3. Your device (what you have in the 2-factor auth scenario) receives the number from the company. (
  4. You enter said number and submit.
  5. You now have access to your account.

That extra step of having the device and a method for creating a ‘token’ as it were is important. It makes it harder for the baddies to get in. Definitely use it. We’ll need it when we get this Internet of Things thing figured out. Tune in tomorrow to see what we have to say about Internet of Things vendors and what they need to do to make their sites secure. Thanks for reading. Now drop and give me 20 burpees!!

The Insecurity of Things: Part 1 – Look into the Mirai

Picture of a man using a sledgehammer to knock down an arch while standing on top of the arch.

Please, hammer, don’t hurt ’em.

NOTE: This is part 1 in a series about the recent DDoS attacks using Internet of Things enabled devices. We’ll be covering what happened in the DDoS/Mirai attacks in this piece. You can use the navigation below to access the other parts.

The Insecurity of Things:
Part 1 – Look into the Mirai – An overview of what happened
Part 2Wagging the DogWhat Mirai is really about – security and secure passwords
Part 3A Manufactured ProblemThe ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do

Well, it’s happened. The Internet of Things did us in. We can’t use it. It’s going to shut us down. My fridge just swallowed my kid.

This past Friday we saw one of the largest attacks on the internet to date, and it was fueled by Internet of Things-connected devices. This means that the Internet of Things is just not ready for prime time…right? Well, it’s more complicated than that. If done right, Internet of Things devices can deliver on the promise. What we’re seeing, however, are gaps not being covered by vendors and those using the products. This happens in emerging spaces very often. I’m not looking to excuse behavior, but only point to how nascent this market is. I’m also in no way looking to blame users on this. Unless we start thinking about how we work with security as consumers and vendors for these devices, we will see this continue. Over the next few days, I’m going to put up a series of posts on how we can do that. Here at CRT, we focus on educating consumers about the Internet of Things, including how they can keep themselves and their devices safe. This first post aims at addressing what happened.

Two large-scale attacks have been unleashed on the internet using Internet of Things-enabled devices. Specifically, these were security cameras, DVRs and storage devices that had default credentials on them and were accessed using software called Mirai. A little over a month ago, this weapon was used to target security researcher Brian Krebs. Last week, you may have noticed that a lot of sites (Netflix, Twitter, Spotify, as well as some real estate sites) were inaccessible or not working properly.

You may have heard of DDoS attacks before. DDoS stands for ‘distributed denial of service’. What happens in a DDoS attack is that hackers use bots (essentially other people’s computers) to send a LOT of traffic at either one particular website or a server. This type of attack puts that website out of commission because it is receiving way more traffic than it can handle and it causes the site to go down and become inaccessible. As I’d said, the main tool in creating these attacks were other people’s computers. Hackers will gain access to these computers through various means: phishing, viruses, and links on the web that you click on, to name a few. This is why having security software like antivirus and malware scanners is really important.

In this attack, using a program called Mirai (‘Future’ in Japanese), the hackers scanned IoT devices and looked for those devices that had default passwords or hard-coded credentials. When they found matches, they took control of them and used them in their attack. The attack on Brian Krebs’ site saw about 620 gigabytes per second of traffic for a sustained period of time. Luckily, Krebs was working with Akamai (one of the Internet’s largest content provider networks) to keep his site up and they succeeded. Brian notes on his blog that Akamai said this was twice the traffic they’d previously seen in this type of attack.

Moving to last Friday, rather than target one person or site, the target was a company called Dyn. Dyn provides DNS (domain name system) services for the internet. What this means is, for example, when you type in ‘’, it is mapped to an IP address for our site. This mapping helps you get to our site. Dyn does this for countless numbers of sites. Some of their biggest clients were taken down in this attack. According to Dyn, over 10 million devices IP addresses* were used to send traffic in the attack. Details are still emerging.

The real issue in both cases is how the attack was carried out. Using the Mirai software (and maybe other bot software) millions of IoT devices were scanned and found to be using default passwords and usernames. Once the devices were under the control of hackers, all they had to do was set up when and where they wanted to attack. This does not mean that the Internet of Things is the problem. What it means is our (vendors’ & consumers’) best practices around security and hardening our devices are the problems.

Tomorrow, we’ll look at what we can do to mitigate and prevent these style of attacks.

* UPDATE 10/25/2016 – The difference between IP addresses and devices in this instance is that you can have many IP addresses for one device. So, according to this post on Threat Post, about 550,000 devices are affected by Mirai. Of those, 10% were used in the attack on Friday. This comes to about 50,000 devices sending 10 million requests. 

Photo found on New Old Stock, original photo can be found here.

Online Trust Alliance’s New IoT Checklist

Earlier this year, we worked with the Online Trust Alliance to put together a Smart Home Checklist to use when buying or selling a home with smart devices. In support of National Cybersecurity Awareness Month, the OTA released an IoT Checklist to serve as a roadmap to helping consumers increase the privacy, safety, and security of their internet connected devices.

The IoT Checklist is intended to be used as a yearly audit of the connected devices a consumer owns. The OTA wants these types of checks to become routine, just like changing the batteries on a smoke detector. In their press release, the OTA expressed their “hopes that by having consumers play an active role in their smart device’s security and privacy, it will not only increase the security and privacy of those devices but also boost consumer confidence in them.” One of the biggest barriers to smart home adoption is privacy concerns, and by conducting a yearly check of devices and connectivity, consumer confidence will rise. “For the IoT to thrive in the long term, consumers will have to trust that their data and concerns about personal privacy are addressed, and OTA’s recommendations are a positive step to accomplishing this,” says Washington State Chief Privacy Officer Alex Alben.

For more information, or to download the IoT Checklist, visit

#006 – Things Thursday – Air Quality, IoT risks, & more

Indoor air quality matters. Picture of a plant on a table in a home.

Indoor air quality is a very important metric you can help homeowners understand through smart home devices. These sensors make great closing gifts and can help you stay connected beyond the transaction.

Things Thursday is returning this week with a good amount for you to chew on. We are looking at smart home and internet of things (commonly called IoT) and its impact on your business. We bring news from around the web to you that gives a glimpse into the future. Rather than talk about the shiny baubles that are on the market, we aim to uncover the devices and methods that make the smart home valuable. Today, we look at air quality, new programs for inventors to make devices, and a database of smart home devices on the market.

  1. SmartHomeDB (via SmartHomeDB)
    So, the first listing isn’t an article, but something for you to use. It’s a site called SmartHomeDB. With nearly 1,000 smart home products listed, it’s the largest community-supported smart home database. We’re talking to them about working together on future projects and I think you’d do well to keep an eye on what they’re up to. It’s pretty comprehensive and products from many different manufacturers are listed. Get reviews from peers on here as well as what systems each device works with. This goes deep, so you could easily kill a few hours on this site. I’d recommend to brokers to get some familiarity and use it to drive agent trainings. We have ideas around this and you can reach out to us to discuss how this could happen.
  2. The democratization of innovation for the Internet of Things (via IEEE Spectrum)
    Indiegogo is one of several crowdfunding sites, like Kickstarter. They’ve teamed up with Arrow Electronics to help inventors make smart home devices. In the article, it’s noted that IoT is still emerging and a bit of a waiting game is happening. Because of this, Indiegogo and Arrow are looking to spur innovation in the space. From the piece:

    The partnership involves Arrow combining its design and production platform with Indiegogo’s crowdfunding engine. This combination will make it possible for qualified Indiegogo entrepreneurs to gain direct access to Arrow’s design tools, engineering experts, prototype services, manufacturing support and even supply chain management—a package of benefits that Arrow has valued at $500,000.

    This is a pretty cool idea, and there’s at least one area I can see that needs more work in order to make smart home devices valuable.

  3. Internet of Things (IoT): The risks and wrong approaches (via GroovyPost)
    This article does a great job highlighting the challenges we’ve talked about on this blog and in podcasts and presentations. From security and privacy issues, to device support and end of life of products that you depend on in the home. This is a great counterpoint to the Indiegogo/Arrow article above. This market is emerging and there are going to be challenges. The reason we entered the space is exactly for these reasons. We need to educate you, the members, on these products and also protect your interests. Consumer safety is a huge concern for these devices right now. I get that, and that’s why we are working with Underwriters Laboratories and the Online Trust Alliance to name a few. If you, as a REALTOR®, are going to recommend a product, you need to be certain it’s a quality, safe product.
  4. Which indoor air quality monitors are best and why (via Energy Smart Blog)
    Folks, read this article, please! It is pretty dense and dives VERY deeply into air quality and why it matters. It’s something I was going to write but Energy Smart Home Performance beat me to it. They do a really great job covering the issues around air quality and what it means for your health. They also delve into some environmental quality sensors on the market and what they mean to you. This pairs nicely with the article from The Real Daily a couple months back on indoor air quality. Why it should matter to you is that air quality indoors can be 5-8 times worse than outdoor air quality and we spend about 90% of our time indoors. Think about these sensors as a nice closing gift to a new homebuyer. Look for more from us on this.
  5. Decentralizing IoT networks through blockchain (via TechCrunch)
    Warning: high nerd quotient.
    Okay, you know that know it all in the office who is up on all the new technologies? I want you to read this article, then go and tell them all about it. They’ll most likely spill their coffee. But I digress. Here’s the point of this article in a nutshell. We have smart devices that we can control from our phones and do some cool stuff with them. Cool. But the issue is that the internet of things (or IoT, as you know), is a growing and unwieldy mass of devices that can’t be controlled by paradigms of the past. Our central hub and spoke model doesn’t work because of the sheer scale and need for connection of these devices. So, enter blockchain, which in lay terms allows for the chokepoints of the hub and spoke to be removed. There’s no central point of connection. It’s decentralized and allows for quicker access. This technology is emerging and you may have heard the term blockchain bandied about in real estate, which we are checking out. This could be a piece in the future of transactions for real estate. It is a good nerdy and satisfying read. Check it out.

That’s it for this overstuffed edition of Things Thursday. Have questions? Want us to cover something? Let us know. You can follow us on Twitter @crtlabs or Facebook.

#005 – Things Thursday – New ways to control your smart home, I talk to my desk & more you modo?

Memodo…do you modo?

Well, it’s a great time to be alive. I can draw on a gadget and have my lights go off. Or, I can toss a rock in a bowl and make my shades go down. OR! I can tell my desk to order spanakopita. But, how secure is all this? It’s a wondrous world. Read on and find out.

  1. A universal interface that you control by doodling (via FastCo Design)

    Drawit, a drawable user interface from Marc Exposito on Vimeo.
    Pretty cool looking stuff. I think this would get to be a little challenging after a while, but it fits in our mantra of zero ui. Devices responding to your touch on a screen. This reminds me of an MIT project, called Open Hybrid, that turned everyday objects into smart objects with a specific sticker attached to it. There was also a project that let you throw things in a bowl to have specific actions take place, called Memodo on FastCoDesign. The cool things about Memodo is you can assign different functions for your home to tokens, like, say, your keys. When you toss your keys in the bowl after arriving home, your smart lock on your door could lock. I like it.
  2. How voice interfaces are colonizing our lives, by the numbers (also via FastCoDesign)
    Great presentation by Mary Meeker at the Code Conference yesterday. Voice is definitely going to be huge. According to the article, Amazon has sold nearly 4 million Amazon Echos. We have phones with voice search and cars with voice. Heck, even desks (see #4). It makes sense as an interface as long as it hears you. My favorite fact is about the types of searches they predict will happen by 2020. Good read.

  3. Who owns the data from a smart home? Homeowner, device owner, or a third party? (via The Real Daily)
    Speaking of good reads (and not because we’re mentioned), The Real Daily has a good piece on smart homes and data ownership. This is a great question that we’re grappling with here. They discuss questions of privacy and security that are tough in a space with no standardization and products made by manufacturers who want to be first to market. Check it out!
  4. I have a desk I talk to. It’s name is Isabella. (via Me)
    It’s actually called the Autonomous Smart Desk with AI. We have some things to hash out with it, but I do like the price point for the basic desk, which has programmable settings and is very sturdy. It’s only $299! The AI desk can control different smart products and order you food, an Uber or play Spotify. I would wait a bit on the SmartDesk with AI, because, as I said, we have a few questions about it yet and are working to discuss with Autonomous. You can check out how the desk works here:


#002 – Things Thursday – Forget Wearables, Here Come Implantables and Standards!!

Devices like the Michigan Micro Mote could soon be part of a new ecosystem in the Internet of Things space called implantables.

Devices like the Michigan Micro Mote could soon be part of a new ecosystem in the Internet of Things space called implantables.

This is a truly mixed bag this week. From implanted devices to government policy. We really threw it around this week. We’re interested in your feedback and questions about smart home technology and would love to

  1. Top 10 Implantable Wearables Soon To Be In Your Body (Via WTVox)
    Forget putting on your Fitbit…what if you had it embedded in your arm and it could stream data to your apps and even your doctor? We’re not that far off. WTVox looks at 10 technologies that are coming that we can wear in us. From smart organs to smart dust like the M3 at the University of Michigan. The point being made here is that wearables are a ‘transition technology’ until we can refine motes to reside in us. There are both positives and negatives to this. I am interested in the verified self, where a chip is embedded that can be used to identify you for purchases, unlocking your door or other security-related devices. It can also be used in the event of a natural disaster to locate people or even use for emergencies in office buildings. This is pretty controversial and I’m interested in what your thoughts are?
  2. IoT Challenges to Ponder Before Writing Checks (via RTInsights)
    I like this piece because it aligns nicely with our approach to this space. We think that there is a need for some type of standardization, that data privacy is important and that there needs to be a clearly defined set of use cases. The market will decide and is already pushing for things. Coldwell Banker/CNET’s recent survey shows that by the end of this year, 45% of consumers will have purchased some type of smart home technology. It also shows that 54% of sellers will install smart home tech if it means their homes will sell faster. But what to buy? Our advice is that you want to understand what ecosystem a platform supports. There are a few choices on the market. Amazon Echo ($179) and Echo Dot ($90) can connect to a ton of devices and has now made it easer for smart home companies to integrate into the Echo platform. Here are links to see which devices work with Nest, SmartThings, Apple and Wink. One app or control point is much easier than several apps for several devices and it seems these companies are now starting to figure that out.
  3. Looks like President Obama cares about the IoT (via Internet of Business)
    The Department of Commerce is starting to see what it can do about IoT security and privacy. The DoC’s group National Telecommunications and Information Administration (NTIA) is working to determine how the government should be involved in this space, if at all. We’ve been invited to comment on this proposal and will be doing so in the coming month. Do you think the government should be involved in this?
  4. 3 Standards We Need for Smart Home Security (via ITProPortal)
    Again with the standards! Stefan Swanepoel talks about what will take to have IoT devices adopted by consumers. He even mentions….CRTLabs! He’s right though…consumers are ready for this, but we need to make sure their security and safety are considered. Kudos Stefan!

That’s it for this week. What do you think? Have something you’d like us to cover? Let us know in the comments below!!