It's Time to Unplug the Insecure IoT

Hackers have proven what security experts have been warning us about for years—that they can soldier insecure Internet of Things devices to do their bidding. It's past time for all players in the IoT ecosystem, from manufacturers to consumers, to address vulnerabilities.
By Mary Catherine O'Connor
Oct 24, 2016

Unless this is the first bit of tech news you've read since last week, you probably already know that hackers unleashed a massive Distributed Denial of Service (DDoS) attack on Dyn, a New Hampshire-based domain name system provider, last Friday. More accurately, there were three separate attacks, the first happening at 7 AM ET, which only affected East Coast servers, followed by a second attack that spread the damage to the West Coast. A third wave, according to Dyn, was unsuccessful. The hackers leveraged internet-connected cameras and other devices to create a botnet that perpetrated the attack. In other words, the Internet of Things took down parts of the internet on Friday.

Dyn says it is still analyzing the attack, but confirmed that the botnets were created with malware called Mirai. This Mirai-based tactic should surprise zero internet security researchers, because Mirai is the malware that hobbled KrebsOnSecurity.com, the website of Brian Krebs, an investigative reporter who covers cybersecurity, last month. After that then-unprecedented attack, the Mirai code was posted to the internet. So it was only a matter of time before it was used again.

"We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," wrote Kyle York, Dyn's chief strategy officer, in a post about the attack.

Brian Krebs spoke with Allison Nixon, the director of research at security research firm Flashpoint, who, in a piece Krebs posted on Friday, said the Dyn attack involved mainly compromised DVRs and IP cameras made by Chinese hi-tech company XiongMai Technologies, which makes components sold to vendors who use them in consumer-facing products.

Krebs wrote that "…many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet. That's because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called 'Telnet' and 'SSH.'"

For years, security experts have been raising alarms regarding the low level of security with which many IoT devices are deployed. Security researchers even showed that they could hack into some internet-connected baby monitors, enabling a chilling new form of home invasion by surveilling a live video stream into children's nurseries. Manufacturers of such devices that were exposed as being highly insecure issued patches or discontinued sales, but some of those cameras are likely still in use. Once a product is out in the world, it can be very difficult to retroactively address its security vulnerabilities.

This is probably not the last time insecure IoT devices—some that have shockingly obvious factory-default logins and passwords, such as "admin" and "12345"—will be forced into service to do a hacker's bidding. But unlike past attacks, Friday's DDoS impacted many Americans (including this Twitter user), if even for a short amount of time. Important news sites, including The New York Times, were inaccessible, and some users had difficultly logging onto PayPal. So while the attack affected people only for a very short amount of time, its sting is perhaps strong enough to push the security of IoT devices—especially of things like IP video cameras or other devices that are increasingly popular among consumers—into the national discussion.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations
© Copyright 2016 RFID Journal LLC.
Powered By: Haycco