Forgot your password?
typodupeerror
Security The Internet

How Millions of Digital Home Devices Are Secretly Powering Cyberattacks (yahoo.com) 33

The Wall Street Journal reports on internet-connected devices — and how every year millions of them "can contain a secret digital backdoor that opens up access to your home internet, so that anyone... can surf the web as if they were you." (And this is especially true for "knockoffs that you buy online"...)

In a video report this week they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers... Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." (And remote visitors also tried to access Outlook and Gmail accounts...)

Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks. Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.."

After a couple months the Journal's reporter collected logs of all the traffic, and sent it to an investigator at Comcast, who said both were conducting DDoS attacks. But estimate for the number of infected devices are as low as tens of millions or as high 500 million-plus. "We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."

But more importantly, "We have seen some of the largest computer attacks — meaning computers attacking other computers at human request — ever recorded in our digital history in the last several months." At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."

The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.
This discussion has been archived. No new comments can be posted.

How Millions of Digital Home Devices Are Secretly Powering Cyberattacks

Comments Filter:
  • IoT SSID (Score:5, Informative)

    by aaarrrgggh ( 9205 ) on Saturday June 20, 2026 @07:36PM (#66202102)

    Needs to be easier for end users to create IoT VLANs with default restrictions. I am getting to the point where I want to segment my IoT VLAN into different trust zones. Unfortunately there is some crap that has to sit in the "Guest" VLAN (which doesn't address the concern in TFS), but mostly I try to eliminate such products.

    • Apple had a decent enough solution with their certification for routers for Apple Home being able to restrict how such devices behaved after end of support. But I remember only two or so routers that actually had that cert and at least one stopped getting firmware updates six years ago or something.

      • by Moryath ( 553296 )
        The bigger problem is the number of old devices lying around with a ton of open vulnerabilities. Full disclosure to users of the EOL date, and preferably legislation that manufacturers HAVE to provide security updates for compromise vectors, would be a better set of fixes.
    • Did it on my home LAN. It's not too hard on a Synology router. The only thing allowed through is a sprinkler controller's web interface facing inwards. The Synology also has a halfway decent IDS that looks for weird outgoing traffic.
      • The basics are pretty easy to guide someone through, but the maintaining and dealing with tuning what traffic can go to trusted networks gets pretty complicated (especially with IPv6, at least for me). I have a few lazy cop-outs (HomeAssistant server has two interfaces (IoT and LAN) rather than being in its own VLAN with traffic rules to address specific ports and applications. (At one point I had a server VLAN that it sat in, but it has different needs than Influx or the PiHole or the NAS.)

        Proper security

    • Re:IoT SSID (Score:4, Informative)

      by lsllll ( 830002 ) on Sunday June 21, 2026 @12:28AM (#66202262)

      Despite having OpnSense as my router and a managed switch, for some reason I never considered separating things on my local LAN subnet until I was working on a remote backup PBS server I was going to put in my daughter's home and wanted it to by default VPN into my home, but I didn't want it to end up on my home subnet. Out came a separate subnet for a DMZ with no access to anything except me being able to access it. Once I did that, I ended up setting a guest WiFi VLAN, a second VPN subnet for remote access instead of SSH, and a separate VLAN for stuff like Roku which don't do anything but access the internet.

      To be honest, doing the whole thing was somewhat easier than I thought, but nowhere near what a casual, non-technical user would be able to do. The problem is that without an actual VLAN implementation, a "guest" SSID is not ironclad. It just takes more equipment and more know-how to separate things for casual users.

      • One problem you'll run into is when you can't find the Roku remote and need to control it with your phone, which won't be able to find it. mDNS routing may help there but may not work for every device your phone might need to talk to. A minor hassle for people who know networking, an insurmountable hurdle for people who don't.
        • A simple solution for the Roku example is to use HomeAssistant or similar to connect and control.

    • Last router I bought had the option to set up a separate wifi network for iot devices. This may be such thing. From memory a rather standard TP-Link. Ax50 something.
      • Which may just be a separate SSID for the same subnet, but one that only broadcasts on 2.4Ghz with a 20Mhz width, and with every other feature disabled for compatibility. That's how I've always seen it handled.
    • Then you have the added complication of those devices needing to interact with devices on your trusted VLAN. Which means mDNS forwarding/filtering. Fine for you and me, over the heads of most other users. We would need consumer grade routers that automatically recognize and potentially isolate IoT devices, correctly filter mDNS and other traffic so your phone can still cast to the TV and talk to your vacuum cleaner, and do L7 filtering on the IoT zone's internet traffic. Which also means the device make
  • A searchable list? (Score:5, Insightful)

    by Shakes Fist ( 10502847 ) on Saturday June 20, 2026 @07:51PM (#66202106)
    It would be quite useful to have a database to search and find out what devices I own have been shown as guilty.
    • by Scutter ( 18425 ) on Saturday June 20, 2026 @08:07PM (#66202120) Journal

      No, it's easier to just post a fear-mongering article with no real substance. You can't have people actually *knowing* what tech is compromised or anything.

      • Best to assume electro-tek is compromised ... especially CCP-enabled products ... and act accordingly. Assume that every use of an electronics product ... from full-tower desktop to IoT-light-bulb is the equivalent of walking down a Detroit alley during "devils-night". Even safer is of-course to refrain from buying ANY product made in China. I believe CCP has even installed secret-transmitters in their hand-tools and bat-wing snacks.
    • by tlhIngan ( 30335 )

      It would be quite useful to have a database to search and find out what devices I own have been shown as guilty.

      The problem is that it varies a lot. And basically it comes down to names - things that require internet access especially.

      Things like streaming boxes - if you buy one of those questionable boxes at the mall that claim "never pay for cable again" and such, whilst offering full access to paid content, those may or may not come with a side helping of a VPN endpoint. But it's hard to say because the

  • I do not use Internet of Trifles junk anywhere on my network for what does not exist is not available for exploitation.

    Craving such fecality is pathetic and any consequences deserved because they were invited.

  • Comcast's investigators have the right idea, the devices need to be quarantined in Faraday cages for comprehensive testing. They would know, Comcast owns one of the US's largest FCC registered deployments of Unlicensed National Information Infrastructure band one (U-NII-1) routers. U-NII-1 is everywhere, very little is publicly known about use of the band. These botnet devices could be networked on that range of the spectrum.
    • The summary says they are going thru a home router. It is one of the reasons I refuse to allow things like TSTat's to get a wifi password. I don't know what the thing is doing, so it doesn't get access. I think you are suggesting these pic frames etc are running thru some secret network, which I don't think is what the article is suggesting. They are saying they are running thru your network by contacting a bot master once connected to the network.
      • The Faraday cage rules out the use of a secret network. Without isolating the hardware from all vectors of information, the possibility can't be eliminated. Comcast's testing indicates standard WiFi networking, most digital forensics wouldn't even consider U-NII-1 or secret wireless networks. The WSJ video shows off the Faraday gear, it's an interesting setup.
  • Wishful thinking (Score:5, Interesting)

    by spaceman375 ( 780812 ) on Saturday June 20, 2026 @09:29PM (#66202166)

    I periodically go thru my network and enumerate every single device. Things like a picture frame do not get internet access. If a smart plug or light or other IoT device needs net, I won't buy it. My TVs don't get internet; they are either on a roku or a linux computer. Connected TVs send "home" screen shots. Roku can only scrape what I watch thru them, so no need to take a screen shot anyway. I had an amazon firetv cube with a third party network dongle to get better bandwidth than wifi. The dongle kept connecting to chinese IPs, even when the TV was off for days. That's when I started locking things down. That dongle went in the trash.
    If only more people were so nerdily inclined, this would be less of a problem. I wish.

    • by Anonymous Coward

      Millions of customers do not care. Some time ago the fire sticks started to do more things in the background when you are not watching anything. Literally millions of people have them plugged in 100% of time. Almost nobody knows. I wonder if someone already found out, what exactly amazon is changed.

    • by mjwx ( 966435 )

      I periodically go thru my network and enumerate every single device. Things like a picture frame do not get internet access. If a smart plug or light or other IoT device needs net, I won't buy it. My TVs don't get internet; they are either on a roku or a linux computer. Connected TVs send "home" screen shots. Roku can only scrape what I watch thru them, so no need to take a screen shot anyway. I had an amazon firetv cube with a third party network dongle to get better bandwidth than wifi. The dongle kept connecting to chinese IPs, even when the TV was off for days. That's when I started locking things down. That dongle went in the trash.
      If only more people were so nerdily inclined, this would be less of a problem. I wish.

      The big problem is it's easy to make a device that looks for open WIFI networks in order to connect to the mothership. This is made even easier by the fact that a lot of modern WiFi routers allow for WPS, which often lets you connect without having to enter a password. Sure you can disable it on your side... but what about your neighbours.

      Short term solution is not to buy devices that have Wifi built in (I'm looking for a new washing machine and it looks like I'm limited to the cheap models), long term s

  • Welcome to 1995.

  • You wanted cheap Chinese electronic products? Ha Ha ... your personal data  has  become the cheap  CCP-enabled product.
  • This is easy to fix.

    We need an enforced standard demanding all traffic that does not have to be encrypted (e.g., anything other than payment details or PII) be visible to the person using or paying for the computer.

    Home users could actually see what traffic is being sent over their home networks.

    Right now, device manufacturers encrypt things like "The refrigerator's average temperature has been 40 degrees F, and the door opened 20 times in the last 48 hours." These manufacturers pay fake consumer rights act

    • That just puts you at odds with anyone who doesn't want their ISP to see the content of their traffic. What about requiring manufacturers to publish a list of every service address to which their devices need to connect, and what those services are for? Routers could check that list and block/allow traffic as necessary or according to a user's restrictions.
      • I have no problems with your suggestion.

        I can predict that some of those IP addresses will change, and that will be annoying.

        • Naturally, but they should all be URLs, not addresses. Then it's just a DNS problem.

          It should also help get manufacturers to stop trying to hardcode IPs in their firmware. Dumb idea, or at least stupidly-over-optimistic in the assumption that the IP will never change.

"Buy land. They've stopped making it." -- Mark Twain

Working...