By Ritesh Chopra, Country Manager, Consumer Business Unit, Symantec, India
IoT streets are buzzing with the new breed of innovations that’ll take it to the much-awaited glory. Many people picture smart thermostats and virtual assistants that will respond to voice commands, but the IoT is primarily composed of commonly used devices such as Home routers, DVRs, and internet-connected cameras.
The surge in innovation, availability and adoption has made IoT an attractive target for hackers and has made the “insecurity of the Internet of Things” a cause for concern. There is much less security for attackers to overcome when trying to take over an IoT device. Unlike a desktop computer or laptop, which will typically have security software installed and receive automatic security updates, an IoT device’s only protection may be an easily guessed default user name and password.
Attacks using IoT devices also lower the barriers to entry for cyber criminals. With IoT devices, security is often not a priority for the device manufacturer. This leads to poor practices such as the use of default passwords and open ports, which the users do not, or cannot, change. Secondly, IoT devices typically don’t have built-in mechanisms to receive automatic firmware updates, resulting in vulnerabilities being left unpatched. Lastly, they are often forgotten about once installed. This means that their owners are unaware when devices are being used for malicious purposes and have little incentive to apply firmware updates.
Towards the end of 2016, the Mirai botnet, which is made up of “zombie army” of IoT devices, was used in a number of high-profile distributed denial of service (DDoS) attacks. A large-scale attack on DNS provider Dyn demonstrated how easy it was to create a large botnet and disrupt major websites such as Netflix, Twitter, and PayPal. The Dyn attack also revealed the existence of Mirai to the world at large. While it is difficult to definitively state how many Mirai-infected devices are out there, but many figures quoted are quite staggering.
While Mirai’s sole purpose was to launch DDoS attacks, malware on a wireless router could conceivably lead to personal information—including user names, passwords, and financial data—being stolen. Infected IoT devices could also be used as a stepping-stone to attack other devices in a private network. It could also mean that a device belonging to you could participate in a global botnet that plays a role in taking down websites or services.
The attack showed how powerful a DDoS attack using IoT devices could be and raised questions about what it might mean if attackers decided to target industrial control systems or critical national infrastructure.
As the profile of IoT devices change and connected cars and connected medical devices become more commonplace, attacker motives are also likely to change.
In late 2015 Symantec established an IoT honeypot to track attack attempts against IoT devices. Data gathered from this honeypot shows that IoT attacks are gathering steam and how IoT devices are firmly in the sights of attackers.
Gartner estimates that there will be more than 20 billion IoT devices in the world by 2020. Though there is no one way to fix a complex problem like this, risk-based baseline security standards are part of the solution. Regulation of the IoT industry to ensure that security is a core consideration in the design and manufacture of IoT devices will be a great place to start.
In the meantime, consumers of IoT devices can consider the following best practices:
- Research the capabilities and security features of an IoT device before purchase.
- Perform an audit of IoT devices used on your network.
- Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
- Don’t use common or easily guessable passwords such as “123456” or “password.”
- Use a strong encryption method when setting up Wi-Fi network access (WPA2).
- Many devices come with a variety of services enabled by default. Disable features and services that are not required.
- Disable Telnet login and use SSH where possible.
- Modify the default privacy and security settings of IoT devices according to your requirements.
- Disable or protect remote access to IoT devices when not needed.
- Use wired connections instead of wireless where possible.
- Regularly check the manufacturer’s website for firmware updates.
- Ensure that a hardware outage does not result in an unsecure state of the device