DDoS attack shows dangers of IoT 'running rampant'

Experts, U.S. senator call for greater Internet of Things security

A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.

In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for "improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers."

Friday's big cybersecurity attack affected 80 major websites and was blamed on the Mirai botnet that largely targeted unprotected IoT devices, including internet-ready cameras.

Those devices were used by unknown attackers to overload servers at Domain Name System provider Dyn in a Distributed Denial of Service (DDoS) attack.

President Barack Obama said Monday that U.S. investigators "don't have any idea" who was behind the attack. He added on Jimmy Kimmel Live that future presidents face the challenge of "how do we continue to get all the benefits of being in cyberspace but protect our finances, protect our privacy. What is true is that we are all connected. We're all wired now."

Security experts recommended Tuesday that default usernames and passwords in IoT devices be avoided and said automatic updates of IoT software could help avoid similar attacks in the future.

"This attack should be a wake-up call about security issues across IoT," said Mark Dufresne, director of threat research at Endgame, a cyber security company based in Arlington, Va.

"There's a low barrier for entry for hackers due to IoT devices that ship with default credentials and lack automatic security updates to fix known flaws," he said in an interview. "As things stand today, we should expect to see more and more attacks involving IoT."

Default usernames and passwords are relatively easy for hackers to guess; there are even lists of default usernames and passwords available on an internet search.

Experts said several solutions to create a non-default approach are possible: Manufacturers could require a password be changed by a customer before the device is first used; a random number generator could be used to create a password for each device, with the unique password made available to the user; and the unique MAC (Machine Access Control) address of the device could function as the password until a user changes it.

For IoT devices to get automatic updates would require more processing power. Dufresne said adding such capabilities wouldn't necessarily be expensive.

"We see the dangers of this IoT running rampant," he said. "There's a continuum of bad to middling security and nobody is knocking it out of the park."

Even though DDoS attacks first hit the internet in the 1990s, they are still commonplace. AT&T on Monday released a survey of more than 700 IT decision makers that found that 73% of companies suffered at least one DDoS attack in the last year.

"Most attackers are targeting businesses using forms of attacks we already know about and can help defend against," said Mo Katibeh, senior vice president of advanced solution at AT&T. "The vast number of threats and attack patterns across our network fit with very well-known attacks...like DDoS," he said in an interview.

Katibeh said that when AT&T U-verse residential and small business customers receive an internet gateway device they are immediately required to update the user name and password. For the 20 car manufacturers that connect cars to AT&T wireless networks, there is Virtual Private Network protection, which means traffic is "not riding the open internet, and thus protected against DDoS attacks," he said.

AT&T is also working on software that will stop a robot arm from moving on a manufacturing floor if the arm moves slightly at variance with its controlled range of motion, he said.

Katibeh said that IoT devices are going to pose ever-greater challenges for enterprise security officials.

"For every enterprise, there's a call to action around Internet of Things," he said. "We even have connected coffee pots. Every enterprise should be doing risk and vulnerability assessments and knowing what to protect and knowing its vulnerabilities. Make sure you are buying devices that have minimum security built-in to allow updates of firmware and patches as they become available."

Join the PC World newsletter!

Error: Please check your email address.

Tags securityIoT

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hamblen

Computerworld (US)
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?