When it first appeared, the Internet of Things (IoT) seemed to be nothing more than an idea with no substance. What was it? Was it the new 'IT' (remember that)? Eventually, IoT came to fruition and consumers lapped it up. Smart thermostats, toasters, locks, lighting, Echo, Google Home... the list goes on and on. As more homes and businesses adopt such devices, you can imagine what follows. Security breaches.
Over the last few years, there have been quite a few IoT-centric attacks. And yet despite the attacks on the rise, IoT continues to enjoy an even greater surge in popularity. Should you consider discontinuing the adoption/deployment of IoT devices -- and forego the convenience of tech evolution?
Let's take a look at some of the worst attacks on IoT devices over the last few years and what you can do to prevent falling victim to vulnerabilities.
I wanted to start off with this particular attack (which occurred between 2010 and 2014), because it perfectly illustrates the inherent danger in IoT devices. Although the devices Stuxnet targeted -- industrial programmable logic controllers (PLCs) -- aren't typical IoT devices per today's standards, they are considered 'smart controllers' and fall into the category. The attack was purportedly launched to sabotage the uranium enrichment facility in Natanz, Iran. Many experts believe that Stuxnet destroyed up to 1,000 centrifuges. Stuxnet was not a typical IoT attack, because it relied on the PLC devices to be connected to a machine running the Windows operating system. Even so, this should have served as a clear warning sign that smart devices can be compromised.
The lesson to be learned from this attack? Mission-critical devices that rely on a standard PC platform should not be attached to a WAN unless absolutely necessary and need to be safeguarded from access by non-critical personnel.
2: Mirai botnet
The year 2016 had plenty of major attacks to call its own. One such attack was the Mirai botnet. This particular botnet infected numerous IoT devices (primarily older routers and IP cameras), then used them to flood DNS provider Dyn with a DDoS attack. The Mirai botnet took down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a number of other major websites. This piece of malicious code took advantage of devices running out-of-date versions of the Linux kernel and relied on the fact that most users do not change the default usernames/passwords on their devices.
The lesson to be learned from this attack is a bit more complicated than a simple fix. Many companies cut manufacturing costs by not including enough storage space on their devices to allow for the updating of the Linux kernel. Because of this, a lot of IoT devices are running kernels that include vulnerabilities. It is on the shoulders of the manufacturers to accept this shortcoming and enable every device for regularly scheduled kernel updates. Until this issue is resolved, IoT devices will continue to suffer under the weight of exploits.
It should go without saying that if your IoT device is password protected, you should change the default password (and username, if possible) immediately.
3: Cold in Finland
In November 2016, cybercriminals shut down the heating of two buildings in the city of Lappeenranta, Finland. This was another DDoS attack; in this case, the attack managed to cause the heating controllers to continually reboot the system so that the heating never actually kicked in. Because the temperatures in Finland dip well below freezing at that time of year, this attack was significant.
The lesson learned from this attack? Your network needs to be frequently monitored for DDoS (and other) attacks. The second you see suspect activity on your network... act.
This attack worked in similar fashion to the Mirai botnet, in that it relied upon a DDoS attack and users not changing the default username/password of their device. The biggest difference between Brickerbot and Mirai botnet is that Brickerbot (as the name implies) simply kills the device. This could be a serious hit on a company's bottom line if a large deployment of IoT devices are rolled out, only to have them simultaneously bricked.
The lesson learned here is that if your devices include a default username/password, you should immediately change them.
5: The botnet barrage
This year, Verizon Wireless released a report that included an unnamed university that saw more than 5,000 IoT devices attacked. When senior members of the campus IT staff started receiving numerous complaints about slow or inaccessible network connectivity, they discovered their name servers were producing a high volume of alerts and showed an abnormal number of sub-domains related to seafood. It turned out more than 5,000 discrete systems were found to be making hundreds of DNS lookups every 15 minutes. The botnet spread via brute force attack to break through weak passwords on IoT devices.
The lesson learned here? Again, always be on the alert for suspect network activity and make sure to secure your IoT devices with stronger than usual passwords.
From looking at these attacks, it should be clear that the onus for preventing takedown by IoT is on both the user and the device developer. Going forward, every IoT device should ship with an updated kernel/firmware and include the ability to regularly update as new vulnerabilities are found. At the same time, anyone who deploys an IoT device needs to take the time to change the default user/password combination (if available) and constantly be on the lookout for suspect network activity. Finally, developers should seriously consider making default password change a requirement upon initial deployment of the device.
The Internet of Things is not going away. Neither are the attacks on such devices. With just a bit of care during setup and a constant watchful eye on your network, you can prevent security breaches by way of IoT devices.