Now is the time to beef up IoT device security before it’s too late!!
DDoS attacks are not new, but DDoS attacks hampering with IoT device security are. Recently we mentioned a DDoS attack the was launched by a botnet of 25,000 compromised CCTV cameras, armed with high-bandwidth connectivity and scattered across the world.
The rise of IoT botnets was predicted as one of the cybersecurity trends of 2016, and the technical details behind a Delaware jewelry episode are another reminder of how dangerous IoT botnets can be. With more and more unguarded IoT devices becoming connected to the internet every day, malicious bot lords are having an easier time recruiting into their robots and their next target can be a smart fridge, light bulb, kettle or door lock.
IoT device security is nowhere close to generic computing devices such as PCs and smartphones. “Unlike personal computers or servers, most IoT devices are not well protected — or even protected at all,” says Igal Zeifman, a senior manager at cybersecurity firm Imperva Incapsula. “This is despite the fact that many are hooked up to a high-speed broadband connection and possess many of the processing functionalities as regular computers.”
Zeifman believes that CCTV cameras and webcams are of special concern. Researchers at Arbor Networks recently found cybercriminals to be adapting the source code of LizardStresser, an infamous botnet malware, to infect IoT devices, with internet-accessible cameras accounting for 90% of the targeted devices. Matthew Bing, one of the researchers, described in a blog post that the cumulative bandwidth available to the botnet nodes have been used to launch 400 Gbps DDoS attacks against banks, gaming sites, ISPs and government institutions.
Traditional IT security practices are difficult to deploy on IoT devices,” says Preetham Naik, business development expert at Subex. These constraints include computation and storage limitations, as well as the use of stripped-down versions of known operating systems such as Linux.
Also the mostly autonomous nature of IoT devices – “The basic issue is that most IoT devices are ‘Things’ that are meant to do a very specific function,” says Deepindher Singh, founder and CEO of IoT manufacturer 75F. “Once set up, we tend to forget that they are actually connected to the internet or that they are actually vulnerable to attacks.”
Limited-user interfaces are another contributing factor to IoT devices being overlooked, Singh believes, non-present or “cumbersome access methods like using a web browser or app” to monitor each device. “When was the last time somebody logged into their light bulbs to do a tcpdump to check if there were rogue packets?” he asked rhetorically. Manufacturers are looking for cheap, lightweight components in IoT devices often lack the capability to provide fundamental IoT device security services, such as encryption, as its hardware simply cannot support it.
IoT botnets are much more serious than traditional botnets. Either they measure their environment (perform surveillance) or they change their environment (perform physical actions). As IoT botnets becoming a clear-and-present danger, it is only the combined efforts of everyone involved — including consumers, manufacturers and IT pros — that can stop the threat.
China leads the world in connecting everyday devices to the internet, and at the same time it is creating huge hacking vulnerabilities for itself and others by doing so, renegade American software pioneer John McAfee warned Tuesday. Hackers had already been able to gain control of devices such as safes and heating controls, and take over the computer systems of automobiles and airplanes, he said.
“China is taking the lead in putting intelligence into devices, from refrigerators to smart thermostats, and this is our weakest link in cybersecurity,” he said in Beijing. “I am hoping that in the short time I am here I can raise a warning flag that we have to take security of these devices even more importantly than our large computers or our smart phones,” he told a conference of internet security professionals. “Because there are so many more of these devices, and the more that are connected, then the higher the risk of a potential hack becomes.”
McAfee, 70, is the colourful founder of the McAffe antivirus software company. McAfee’s at times dire and alarming speech in Beijing came as his new company MGT Capital prepares to launch cybersecurity products later this year.
“Our species has never before faced a threat of this magnitude. And we have not noticed it by and large,” he said. “You may be thinking I am exaggerating, that I am an alarmist. I am friends with many of the hackers who have the capability to do enormous damage if they so choose.”