Insecure Internet of Things (IoT) devices are potentially putting society as a whole at risk from cyberattacks because cyber criminals are able to exploit these common products that haven't been designed with any form of security in mind.
IoT products have become a staple in many homes and places of work because they're perceived as helpful to everyday life.
However, many IoT devices get installed onto networks without proper security procedures in place, either because the user isn't aware of how to boost the security of the device – for example, by changing the password – or the device doesn't come with a password or options for securing it at all.
In some cases, IoT devices are leaking data onto the internet because the vendor hasn't properly configured security – whether by mistake, or because of a requirement to rush it out to the market without adding security by design. Either way, poor security in IoT devices can have major consequences.
"It's not even just the damage that it can cause to you from the exposure of your personal data; it's the damage it can cause to really our whole society," Craig Young, principal security researcher at Tripwire, told the ZDNet Security Update video series.
"When you look back at IoT botnets – Mirai, for example – they've demonstrated that if you pull together all of these devices, you have some substantial resources".
Mirai caused major issues in 2016 when IoT devices infected with malware were roped into a botnet targeting online infrastructure provider Dyn with a massive DDoS attack, knocking a number of major services offline.
Each individual IoT device only has a small amount of computing power, but an army of millions of devices all directing traffic towards a single target is a powerful tool for online disruption. And with so many IoT devices available and easy to find on the internet, it's something that cyber criminals are looking to exploit.
"What I do worry about is when you've got products that are little computers that are pulling down firmware updates from some company that can get hacked and have that firmware replaced with malware. That's the doomsday scenario," said Young.
"There's a lot of reason to believe that vendors really don't take that infrastructure seriously they're rushing out the door with features and not taking the time to lay the groundwork for security," he added.
And while there are initiatives designed at improving Internet of Things security, and information security researchers are attempting to find and disclose problems so they can be repaired, for now it remains an issue as insecure IoT devices are so readily available.
"There are so many different companies in the IoT space and there are not enough security researchers going out of their way to work with them and fix these things," said Young.
Users can try to help ensure the IoT devices they install on their network are secure by, when possible, buying products by vendors that are known and trustworthy, rather than a cheap product from a vendor you've never heard of before. Users should also ensure that, when possible, the device isn't secured with a default password.
MORE ON CYBERSECURITY
- The dark side of IoT, AI and quantum computing: Hacking, data breaches and existential threat
- How to secure your IoT devices from botnets and other threats
- IoT security: Why it will get worse before it gets better
- IoT attacks are getting worse -- and no one's listening
- This old security vulnerability left millions of Internet of Things devices vulnerable to attacks