Cybercriminals are always on the lookout for the next opportunity, and are frustratingly good at identifying the kind of vulnerabilities that crop up around the leading edge of technological advancement. Before doors can be closed, locks put in place, or security considerations addressed, they grab what they can, leaving the cybersecurity industry scrambling to catch up.
As the Mirai botnet continues to wreak havoc on systems across the world, it’s time to take a closer examination of the conditions that have allowed such threats to become so powerful, smashing records set by previous DDoS attacks.
According to many industry experts, the major culprit behind this kind of attack is the Internet of Things, the network of connected devices comprised of everything from wearables to DVRs to refrigerators. This massive collection of IP-enabled appliances is largely unsecured, with many units shipped containing default passwords easily discovered by cybercriminals.
Once these criminals have access, they can use the devices in a botnet powerful enough to take down even the largest websites, or simply hijack the device itself. That might not have huge consequences for your refrigerator, but what about your webcam, your baby monitor, or even your pacemaker?
Security concerns are not limited to the consumer world, either. According to Gartner research, 43% of businesses are either using or plan to implement the IoT in 2016. That has some serious implications, as they also predict that “by 2020, 60 percent of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.”
With this in mind, it seems quite an oversight to produce technology with such shoddy protections. So the question is, how and why does this happen?
Most IoT Devices Don’t Have the Capability
One key issue is that many IoT devices simply do not have the ability to automatically retrieve and install security patches, and outdated software can leave your system vulnerable to attack. So unless the owner of the device is somehow able to implement a patch, the device will mostly likely remain insecure as new bugs crop up.
“One, sensitive personal information is transmitted in the clear, for anyone on the local network and upstream network to eavesdrop on. And two, IoT devices cannot be sure they're communicating with the real and correct vendor-supplied web applications or mobile apps."
IoT Devices Have Become a Target
IoT devices are particularly susceptible because cybercriminals see this vulnerability, and are working to exploit it. The Mirai botnet is constantly scanning for connected IoT devices, and testing its long list of login credentials to try and match the typical default or weak passwords built into these devices.
Intrusions Are Hard to Detect
Most IoT devices have no way of detecting when an intrusion has occurred, and thus neither do the owners of these devices. These owners – most of whom have no idea how to even begin assessing device security - are oblivious of the fact that their device has taken part in a large botnet attack, or even if the device itself is used for malicious purposes, such as a webcam used to spy on the owner.
The IoT Is Growing More Quickly Than Manufacturers Can Manage
The major problem with the IoT is not just the technical challenge of adding security features, but rather the fact that the IoT is simply growing too quickly. Not only would the technical requirements for additional security set back current production, but a large problem is that many users - and thus many manufacturers - simply don’t care enough to do anything about it.
According to Gartner, the number of connected devices could reach as many as 13.5 billion by 2020, and unless a radical shift in security occurs soon, trying to secure the IoT at that point will be a bit like shutting the stable door after the horse has bolted.
So How Can We Fix This Flaw?
We can significantly reduce IoT vulnerability in the same way we fix security flaws in any computer: enable devices to accept and implement routine, automatic updates to protect against malware. Manufacturers need to build in capability for these updates, and also make one additional fix: randomize passwords for each device. When every single unit can be accessed with the same information, that is a big problem.
The best way for consumers and businesses to encourage tighter security in IoT devices is to vote with their dollars, purchasing these items from manufacturers that are dedicated to eliminating the vulnerabilities seen in so many devices. And whenever possible, change the default passwords that come with each device.
One additional solution suggested by data management firm Axway is to gain control is through API management, which would allow companies to more closely monitor how the data on these devices are being accessed. For example, “an API management system could be used to enforce privacy controls, to ensure that no identity is linked to the data stored by the service provider.”
IoT security is an ongoing concern, and as these devices become more and more ingrained in our daily life, the security and privacy issues will only become more pronounced. Recent events such as Mirai’s takedown of Dyn have only served to highlight the problem, and we will most likely begin to see an increased push for IoT security in the coming months. Hopefully we’ll soon be able to close the door on this vulnerability, so that we can be more prepared for the next one that comes along.
Written by Luke Robbins