REUTERS/Chris Morgan
It’s been touted as a technological revolution that will make things easier by connecting everything from your fridge to your toaster online.
But there’s a darker side to the so-called Internet of Things: A massive army of infected IoT devices is one of the most effective ways to launch massive cyberattacks.
“There’s so much enthusiasm for connected devices,” Ted Harrington, Executive Partner at Independent Security Evaluators, told Business Insider.
But unfortunately, according to Harrington, “bad security practices are still the norm in IoT.” Such practices vary, from coding passwords directly into device software or using no encryption, but the result is often the same: A device that can be hacked much easier.
That fundamental lack of basic security was on full display last month when a “record” distributed denial-of-service attack was carried out against the website of journalist Brian Krebs, which took his site offline for days. While the massive influx of traffic resulted in Krebs’ host kicking him off its servers, it seemed to be just the beginning of a new wave of IoT-led attacks.
“This is not isolated to a specific type of manufacturer or specific type of product but rather, all these connected devices are showing issues,” Harrington, who helps run a security research village for IoT devices at the Def Con hacking conference, said.
‘It’s a challenge for civilization’
The attack on Krebs was carried out by a botnet of infected IoT devices. Put simply, this network of infected devices is made a slave to an attacker, who uses software to find connected devices with weak security.
And it’s not a closely-guarded secret as to how the botnet is assembled: Just a week after Krebs’ site was taken offline, the source code for the software that did it, Mirai, was released online — which means we can expect many others to use and improve upon the malicious code.
“Botnets can use these default credentials to harvest hundreds or thousands of bots to focus on a target in a DDoS attack,” Lamar Bailey, Senior Director of Security Research and Development at TripWire, told Business Insider. “The attacks are more successful because they come from a larger area and this makes them harder to mitigate.”
A large portion of the devices that were used in recent cyberattacks were cameras and digital video recorders made by a Chinese manufacturer, The Wall Street Journal reported. Others included routers and satellite antennas.
“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” Michael Walker, a program manager at DARPA, told The New York Times. “It’s a challenge for civilization.”
Right now, civilization seems to be on the losing side, as researchers with Akamai say as many as two million devices have been taken over by hackers. And since most devices are designed to be left alone after setup, it’s almost impossible for an average user to know their device has been compromised.
“The scope of attack surface is expanding,” Harrington said, using a term for the different points where a hacker can gain access. “And not just attack surface, but the scope of vulnerable attack surface is expanding exponentially.”