By Editor
Something major happened in
October. Internet of Things (IoT) devices were exploited by cybercriminals and
turned into a rogue and malevolent army. A series of distributed denial of
service (DDoS) attacks affected websites connected to the cloud-based internet
performance management company Dyn, including Amazon, Twitter, Reddit,
Spotify and PayPal. It’s possibly a watershed moment.
“We have been shown just
how vulnerable the internet – which is now an integral part of the critical
infrastructure of the US and many other countries – is too disruptive abuse
conducted at scale, by persons whose identity is not immediately
ascertainable,” ESET’s Stephen Cobb concluded in his analysis of the event.
Now, with Christmas upon us
and the increasingly volatile world markets never more dependent upon online
transactions, everyone is desperate to stop repeat attacks.
1. Wait, what’s IoT?
Definitions vary, but the
‘Internet of Things’ refers to ‘smart devices’ like refrigerators that will
tell us when we’re out of milk. But also, many smaller less outlandishly smart
objects, such thermostats, coffee machines and cars. These gadgets are embedded
with electronics, software, sensors and network connectivity so that they can
connect to the internet.
2. So, what’s the problem?
Anything that connects to
the internet, even if it doesn’t contain your medical records, poses a risk.
The October 21st attacks were made possible by the large number of unsecured
internet-connected digital devices, such as home routers and surveillance cameras.
The attackers infected
thousands of them with malicious code to form a botnet. Now, this is not a
sophisticated means of attack, but there is strength in numbers. They can be
used to swamp targeted servers, especially if they march in all at once.
3. How did the attacks actually happen?
Remember that bit in the
instruction manual where it told you to change the default password? Well, if
you didn’t, then chances are your IoT device could spring to life as a cyber
zombie. The DDoS-attackers know the default passwords for many IoT devices and
used them to get in. It’s a bit like leaving your house keys under a flowerpot
for anyone to find.
Anyone putting an IoT
router, camera, TV or even refrigerator online without first changing the
default password is enabling attacks of this type. Recent ESET research suggests at least 15% of home routers are
unsecured – that’s an estimated 105 million potentially rogue routers.
4. Wait, do I need IoT devices?
Some people dismiss IoT
devices as gimmicky; others believe that in a few years we’ll all have smart
cupboards that tell us what we can have for dinner. But there are numerous
discernible benefits, such as the sensors in smartphones and smartwatches that
provide real information about our health. Or the “blackbox” telematics in cars
which can prove how safe or unsafe our driving is and thus help with insurance
claims.
5. So, this is a new problem?
Nope. The possibility for exploitation
of this kind has been common knowledge since, well, the dawn of IoTs. But, we
didn’t realize quite how vulnerable we were until October. Malicious code
infecting routers is nothing new, as this ESET research clearly demonstrates.
The advice to change the
default passwords on these devices is definitely not new and has been
reiterated many times. Yet you can lead a horse to water, but there’s no making
them drink. Two years ago WeLiveSecurity reported
on the existence of 73,000 security cameras with default passwords.
6. How far does it go back?
The IoT actually goes way
back as far as the 1980s. But in a slightly Back to the Future
iteration. Researchers at Carnegie Mellon University first came up with an
internet-connected Coke vending machine in 1982.
7. Surely, internet giants have the power to stop
this?
Sure they do. But that
doesn’t mean some of them haven’t left gaping holes available for malicious
exploitation. At the Black Hat security conference last year, security research
students from University of Central Florida demonstrated how they could compromise Google’s Nest thermostat within 15 seconds.
Daniel Buentello, one of
the team members, was quoted as saying in 2014: “This is a computer that the
user can’t put an antivirus on. Worse yet, there’s a secret backdoor that a bad
person could use and stay there forever. It’s a literal fly on the wall.”
8. What can I personally do to stop this?
Look at IoT devices like
any other computer. Immediately change the default password and check regularly
for security patches, and always use the HTTPS interface when possible.
When you’re not using the device, turn it off. If the device has other connection
protocols that are not in use, disable them.
These things might sound
simple, but you’d be alarmed by how easy it is to opt for convenience over good
sense. Only half of respondents to this ESET survey indicated that they’d changed their router
passwords.
9. What can companies do to stop this?
You might think, ‘What’s
the point? If an attacker can breach Amazon, then what hope does my firm have?’
Well, don’t give up hope. Organizations can defend against DDoS attacks in a
range of ways including boosting the infrastructure of their networks and
ensuring complete visibility of the traffic entering or exiting their networks.
This can help detect DDoS attacks, while ensuring they’ve sufficient DDoS
mitigation capacity and capabilities. Finally, have in place a DDoS
defense plan, which is kept updated and is rehearsed on a regular basis.
Think of it like a fire
drill for your network. Also, watch out for Telnet servers. These are the
dinosaurs of the digital universe and as such should be extinct, because
they’re so easily exploited. Never connect one to a public-facing device.
10. But … and this is a big but …
The tech might have been
around for a while but these kinds of attacks are brand new. As such there are
no agreed best practice protection methods for stopping an IoT from turning
against you.
At least, not ones that the
experts can agree on. Some believe you should apply a firewall in your home or
business and to regulate control of them to authorized users. However, another
method would be to apply a certification approach: allowing only users with the
right security certificate to control the devices and automatically barring any
unauthorized profiles. If in doubt, unplug it.