Cybersecurity experts on Monday called for standardized security measures for connected webcams, printers and routers in the wake of a massive cyber attack spread by those devices.
But in the meantime, billions of poorly secured “internet of things” (IoT) gadgets remain open for exploitation by criminals, corporate spies, activist hackers and nation states.
“There is not a viable defense against it for the foreseeable future,” said Ted Harrington, executive partner at Independent Security Evaluators. “IoT adoption is rapidly increasing, while security considerations in connected devices remain largely absent.”
Harrington described the likelihood of a similar attack in the future as “highly probable, bordering on guaranteed.”
In the assault Friday that blocked access to hundreds of websites, including Twitter, Airbnb, Amazon, PayPal, CNN, Spotify and Reddit, thousands of hijacked “internet of things” devices bombarded a New Hampshire company called Dyn with traffic. Dyn provides internet services that connect users to its clients’ websites.
The attackers took advantage of the widespread lack of security among connected devices, which can include everything from security cameras to digital video recorders, printers and refrigerators. Some of those devices do not have passwords and others are sold with default passwords that many purchasers don’t change.
The assailants relied, at least in part, on malware code called “Mirai” that scans the web for unsecure gadgets using certain default passwords. Mirai was published online by a hacker in recent weeks.
Chinese webcam maker Xiongmai on Monday said its devices were among those that had been hijacked via Mirai for the attack. “Mirai is a huge disaster for the internet of things,” the firm said in an email Monday. The company said it will recall some of its older products.
The malicious code, plus the availability of poorly secured devices, gave the assailants a relatively easy way to penetrate the IoT security gap, said Tony Anscombe, a senior security executive at online security firm Avast. “I don’t think the attack was particularly sophisticated,” Anscombe said.
While consumers have a responsibility to buy safe devices and to set strong passwords, companies making connected devices must develop standards so their products are “secure by design,” Anscombe said. Some of those standards could govern password strength, level of encryption and data sharing.
“The best way for any industry to have standards is actually to self-regulate,” Anscombe said. “When governments become involved and have to force regulation, what you find is the regulation doesn’t allow for innovation.”
Even manufacturers that include security features in their connected devices are mostly using common open-source software to create those features, leaving the devices vulnerable to hacking, said Alberto Yépez, co-founder of Trident Capital Cybersecurity, a San Mateo venture capital firm that invests exclusively in cybersecurity companies.
“They need to use commercial-grade encryption solutions that are standards-based,” Yépez said.
No credible claims of responsibility for Friday’s incident have been put forward. Yépez said the attack was likely a broadly targeted “test run.” The perpetrators have proven they can successfully black out large portions of the internet, and now they can go to market, Yépez said.
“They will try to monetize the capability,” he said. “They have armies of devices that have already been compromised.”
Although multitudes of “smart” devices with little or no security are operating in homes and businesses and most cannot be patched to make them secure, the good news is that few will remain around for long, said analyst Hayden James at digital advertising firm EvoWise.
“Thankfully, tech gadgets, the lifespan’s pretty short,” James said. “Everybody’s going to be upgrading to the new this or the new that.”