Surviving the IoT Cyberattack Pandemic

Assess your risks, secure your firmware and comply with the ever-changing regulatory landscape.
By Ronald E. Quirk and Terry Dunlap
Mar 12, 2017

ED. NOTE: The FCC recently rescinded the notice of inquiry mentioned in this article, but is expected to take up cybersecurity matters again shortly.

"The Internet of Things is turning into a security nightmare." So wrote Thomas Ricker, a respected systems engineer and deputy editor of the The Verge, in describing the enormous distributed denial of service (DDoS) attack that disabled wide swaths of the Internet in late September 2016. This is no hyperbole. Mr. Ricker's statement succinctly describes the current state of Internet of Things devices' vulnerability to cyberattack and hacking.

According to a leading report by Malwarebytes Labs, there were nearly 1 billion malware detections and incidents, affecting nearly 100 million devices in more than 200 countries, during the June to November 2016 period alone. The United States is the top country for ransomware detections, as Americans are targeted because of their wide accessibility to technology and their ability to pay the ransom.

Left to right: Ronald E. Quirk, Terry Dunlap
Unprotected IoT Devices Are Begging for Cyberattacks
IoT devices are particularly vulnerable to cyberattacks from botnets—a network of private computers infected with malicious software and used to spread malware. The aforementioned DDoS attack was orchestrated by a botnet that spread Mirai, an open-source malware, which compromised many IoT devices and home routers, with all of the infected devices being controlled by a single source. This brought down many well-known websites.

Less than a month later, Mirai was used to attack Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet's top destinations. This attack, which compromised security cameras, prevented millions of users from accessing popular sites such as Twitter, Reddit and Netflix.

Mirai is a particularly insidious malware. It scours the Web for IoT devices protected by little more than factory-default usernames and passwords, using an internal database of default names and passwords to gain entry to connected devices. After gaining access, Mirai attacks by throwing junk traffic at an online target until it can no longer accommodate legitimate users.

It is unlikely that we have seen the last of Mirai. The hacker who created Mirai released the source code for it, thereby enabling anyone who wants to instigate a botnet attack to use the malware.

Unsecured Firmware Can Be a Cesspool of Insecurity
Passwords in IoT products are embedded in the firmware. Firmware is software that controls the basic functions of a particular device; all computing devices rely on it. Devices such as smartphones and computers have operating systems, which help consumers manage the firmware. But devices without operating systems built in, such as routers and smart devices, render firmware difficult or even impossible for users to manage.

This scenario results in firmware potentially being a cesspool of insecurity. Many manufacturers view building security protocols in their devices as an unnecessary expense that eats into their margins. Consumers rarely think about applying patches (i.e., software that fixes security vulnerabilities) or installing updates in their devices—and because consumers don't demand firmware support, manufacturers don't provide user-friendly ways to update firmware used in their IoT devices.

This kind of neglect has resulted in cyber bugs such as the Misfortune Cookie, which in 2014 was discovered in the firmware of more than 200 router models. This bug allows attackers to monitor Internet traffic channeled through an unsecured router, steal passwords and login credentials, and spread malware to other devices.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations
© Copyright 2017 RFID Journal LLC.
Powered By: Haycco