LOS ANGELES, Calif. October 31, 2016 – Attorney General Kamala D. Harris is advising Californians to protect their electronic devices from potential hacks and urges Internet of Things (IoT) manufacturers and developers to take immediate steps to help secure home electronic devices against capture by a potential “botnet attack” from a cyber criminal.

The IoT includes connected devices and smart devices, including everyday objects such as webcams, routers, DVRs, lighting, heating, and refrigerators.  A botnet is a network of infected computers, where the network is used by the malware to expand. A botnet attack occurs without the computer owners’ knowledge, and is typically used to send spam emails, transmit viruses, and engage in other acts of cybercrime.

As recent botnet attacks have shown, a greater emphasis on the security of connected devices, with a focus on security-by-design in product development, is urgent and essential. Much is at stake as IoT continues its rapid expansion to an estimated 38 billion connected devices by 2020. Improving the security of these devices will make the Internet safer for all users and reduce the risk of cybercrime.

Last Friday, according to public reports, a botnet of Internet-connected devices was used for a Distributed Denial of Service (DDOS) attack on an Internet infrastructure company called Dyn that acts as an address book for websites. Bad actors allegedly used malware to infect and remotely control IoT devices, without the device owners’ knowledge, and overloaded Dyn with remote requests, making it incapable of responding to any requests to load web pages.  This left millions of people unable to access thousands of websites, including popular websites such as Spotify, Twitter, Netflix, Reddit, AirBnB, and the New York Times, among others.

What is unusual about this recent attack is that tens of millions of everyday household devices were taken over primarily because of the widespread use of factory-default username and password combinations. These factory-default passwords could be found simply by searching online for terms like “default router password username combinations.” Attackers scan the Internet for devices with these factory defaults, then hack in and install malware that allows them to control the devices. They use the newly seized devices to hunt for others to infect with the malware and then collectively use an army of devices to launch attacks that cripple websites, like the DDOS attack on Dyn and one earlier this year on security blogger Brian Krebs.

While the primary responsibility for building security into IoT lies with the industry, individual consumers can also take steps to protect their homes, cars, and personal information from automated scripts searching the Internet for vulnerable devices. To date, manufacturers and developers have not made these steps very clear, and they should update their company websites to help consumers safeguard against and combat botnet attacks.  One easy step for consumers is to change default usernames and passwords to personalized usernames and passwords. Below are some simple steps.

How to Change the Default Password on Your Household Electronics (such as webcams, DVRs, routers, printers)

  • Locate the default login information in the user manual or on the device itself (IP address, username, password). Or search online for “default [router, DVR, webcam] username and password,” then look for the name and model of your device.
  • On your computer or device, use the default log-in credentials to access your account. Follow instructions for changing the username and password.
  • Use a strong password. For more information on safe password practices: https://oag.ca.gov/privacy/safe-password-practices.
  • Turn off or disable unnecessary features and access, such as remote administrative access.

To learn more about how to protect yourself from viruses, hacking and other cybercrimes, please visit the Attorney General’s Privacy Enforcement and Protection Unit website:  https://oag.ca.gov/privacy.