Holidays Bring Cheer and Botnet-Driven Tears
IoT devices make great gifts, but poor security can make them ripe for attack.
With the holiday season upon us, many will be opening the latest technology gifts and becoming the lucky recipients of IoT devices to power, protect and provide entertainment in their homes. Connected device sales are expected to hit 600 million units in 2017, according to the Consumer Technology Association. This is on top of all the devices already in place.
Why should this concern enterprises? Those 600 million internet-connected devices could add new processing power to already-potent botnets, which are used to launch distributed denial-of-service (DDoS) and other malicious attacks against corporations and internet providers.
IoT’s Bad Rap
Not all Internet-connected devices are bad, but the history of shoddy security in consumer-oriented gear isn’t great. There are the internet-connected security cameras that were used in the Mirai Botnet attack, which took down a major DNS provider in 2016. The cameras were found to have admin password data hard-coded on the device, making them easy pickings for attackers.
Mirai was just the start. There have been new botnets discovered in 2017—such as Leet and Reaper—that are more insidious. Reaper, for instance, uses known software vulnerabilities in its attempts to gain control over a system and then spread further into networks.
And it’s not traditional electronics that are the problem. Earlier this year, London’s National Cyber Security Centre demonstrated how attackers could gain control of the Cayla doll—a child’s toy—to record video and audio without the user’s consent. It could even be leveraged to open smart locks.
IoT Vendors on Notice
Many of the vendors of these consumer IoT devices do not come from IT backgrounds. While it’s relatively easy to add connectivity to just about any given device, it’s not as easy to secure that device. This is particularly the case when one is trying to make it easy for less technical consumers to use a product without too many hassles.
Vendors of anything internet-connected need to continue to step up their security efforts. While they may not consider themselves “IT”, they need to employ methods like application security scanning to uncover vulnerabilities in their code and use stronger authentication systems on their devices. They also need to figure out better ways to alert device owners that critical patches are available and make it easy to install these patches.
Enterprises Take Heed
Enterprises can take steps to protect themselves as well, by deploying systems to detect and deflect DDoS traffic.
It’s imperative to monitor systems from a security perspective (Are user accounts doing odd things at odd times?) and an infrastructure perspective, to sniff out any rogue activity that hijacked devices might be involved in.
Carnegie Mellon University’s SEI Blog has more information on how to prevent and respond to DDoS attacks.
Help on the Home Front
Security practitioners can help this holiday season, too. When a family member or friend shows off their shiny new IoT device, offer to help configure it, check its security settings and see if any patches need to be applied. It’d be a good idea to do a little Googling as well, to make sure the manufacturer isn’t on the naughty list when it comes to security practices in its products.