Two weeks ago, there was a record-breaking DDoS (distributed denial of service) attack that utilized 145,000 compromised security cameras and DVR’s to take down the security news website http://krebsonsecurity.com. On Friday, October 21st, there was another DDoS attack targeting Dyn, a major DNS provider. This attack crippled many popular websites and services. Details are still scarce, but the attack appears to have utilized a botnet of which a significant part was made up of comprised IoT devices. While DDoS attacks simply disrupt services and do not breach or compromise data, in theory, a compromised device could be used to allow an attacker direct access to your local network. From there they could attempt to access any data or device residing on the same network.
The term “Internet of Things”, abbreviated IoT, was coined in 1999 by Kevin Ashton while working at Auto-ID Labs on RFID technology. The Internet of Things is the integration of network and internet support into everyday items. These are often referred to as “smart home” or “home automation devices.” You may already have one or more of these devices in your home, like a smartphone controlled thermostat, a security camera, or an internet connected refrigerator. IoT devices can offer energy savings and convenience that is enticing to consumers. They also present an enticing target for hackers.
IoT devices are vulnerable due to a lack of technical and security standards in the IoT field. IoT devices utilize at least 14 different communications technologies, some of which are proprietary, while others utilize existing communications platforms. In addition, there are no specific requirements to provide firmware or security updates for these devices. These lack of standards enables hackers to exploit individual devices, as well as control many devices to form a botnet that can be used to launch further attacks.
IoT devices like your TV, DVR or baby monitor typically do not offer much in the way of security. Unlike your PC, IoT devices typically will not have a firewall or any form of malware prevention. Nor do they typically have an easy way to detect if they have been compromised. If these devices support firmware upgrades, it may be possible to patch the security holes that allowed them to be compromised. Unfortunately, not all IoT devices support firmware updates or have a vendor that continues to release firmware updates. To further complicate matters, devices that do support firmware updates often require manual installation.
Most of these devices are “set it and forget it” with minimal security options. The types of data collected and security of that platform will vary by vendor, but rarely can a user configure more than a username and password. Again, since there is a lack security standards, the risk will vary by vendor. Even in cases where a compromised device does not lead to data theft, it can be used as a proxy or in a botnet for other malicious purposes. The compromised device may use large amounts of bandwidth which will slow your internet speeds.
I don’t want to scare you away from IoT devices, but rather educate you on the potential risks. It’s difficult to measure how exposed we are to security risk via our IoT devices, and the convenience may outweigh the risk for some people. We suggest you research the security of IoT devices. Then, at a minimum, change the default device passwords. If you do not need the internet features, do not connect it to the network at all. That said, we do not recommend installing everything you can find that is IoT capable. After all, do you really need a dishwasher that automatically orders detergent when you run low?
Important Note: Business networks require a higher level of security due to the volume and nature of financial and customer data businesses collect. Your company may also be subject to laws and regulations like PCI and HIPAA that have specific security requirements. We recommend speaking with your IT consultant before adding any network capable device to your infrastructure.
If you would like more information about Friday’s internet disruption, watch this short interview.