Page 48 - Cyber Warnings
P. 48
Time to Get Serious About Internet of Things Cybersecurity
The Internet of Things (IoT) is made up of everyday objects built with the ability to sense,
analyze, and communicate information about themselves and their environment. In smart
homes and offices, these devices measure air quality, secure against intruders, and listen for
verbal instructions to play music or order pizza. IoT devices are also deployed in industrial
applications to do things like monitor the flow of oil through pipes, track public transit vehicles,
and control robotic arms on assembly lines. IoT even includes simplistic sensors that do
everything from measuring temperature to counting how many times a door is opened or how
many times a customer tries on a pair of shoes. There are already billions IoT devices deployed
around the world, and most estimates put that number at 25-50 billion by 2020.
While the promise of near omniscience continues to fuel this rapid growth, IoT cybersecurity
appears to still be an afterthought. The capabilities that would help protect IoT devices, and
those that would protect the rest of the world from IoT devices, are severely lagging. This reality
came to a head when hackers secretly searched for, found, and compiled a list of millions of
easily hacked IoT devices. The unprotected devices were combined into a botnet dubbed Mirai,
which was unleashed on the world in a massive Distributed Denial of Service (DDoS) attack that
brought down some of the biggest Internet sites in the world. Twitter, Spotify, SaneBox, Reddit,
Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and many
others were knocked offline for hours. Level 3 put out a report that explains in detail how the
Mirai botnet worked.
The source code for the Mirai bots was subsequently released, allowing others to use the same
technology to build their own IoT botnets. While the release of malware source code isn’t
uncommon, it usually follows the widespread availability of a patch to close the hole the
malware exploits. The fact that IoT devices are often difficult or impossible to patch, makes the
release of the Mirai source code particularly dangerous.
One good thing about the Mirai attack was that it generated a lot of data from which we have
learned a couple of very interesting things. First, the attack had little to do with the capabilities of
the devices themselves, only their massive numbers combined could generate such traffic.
Second, and most importantly, this attack was almost completely avoidable.
Most IoT devices were not designed to be secure, and their production reflects that. For
example, most security cameras which became part of Mirai had hard coded default passwords,
so they were all operating with known backdoors. Certainly, the “build security in” crowd can find
a lot of support in Mirai examples, but organizations that deploy devices with weak security bear
significant responsibility for how those devices are used.
Had the organizations deploying the devices that were caught up in the Mirai botnet adhered to
cybersecurity risk management best practices, much of the impact of these attacks could have
been mitigated. When considering a new device deployment, organizations should consider the
48 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
