It’s not new news. IoT devices are vulnerable to attack.
We have all heard the reports about baby monitors being hacked, smart cars being taken over and CCTV systems being compromised. But on Friday, 21st October 2016, an attack on smart ‘things’ made global news and should change the way manufacturers, employers and consumers think about the Internet of Things, and change things fast.
One of the largest and most powerful distributed denial of service (DDoS) attacks in recent history hit DNS provider Dyn and its customers, impacting major services like Twitter, Reddit and Spotify. The attack signified what globally, might be the beginning of a new era of internet attacks conducted via "smart" things. Clearly they aren't as smart as we think, if they can be so easily commandeered by random deviants on the internet to impact major services such as these.
So, we know how it happened, what’s next? How do we as a community of concerned researchers, civil servants and internet users protect our internet and prevent even greater damage from future attacks.
We predicted IoT device attacks would take off when criminals figured out how to monetise them - much like they have with their very lucrative ransomware scams - or align them to their goals. While we have not yet seen any direct financial gain with this widespread attack, it does show just how powerful vulnerabilities in IoT devices are, when in the wrong hands. Others have conducted DDoS as an extortion technique for years and this could be a very dangerous precedent for future attacks. Until now, IoT devices have been protected by a lack of attacker interest. Clearly, this has changed. With the release of this malware code and its use in these recent attacks, cybercriminals have smelled the blood in the water and the sharks are circling. We hadn't seen evidence of this yet, but historically, cybercriminals have used DDoS to distract security teams while conducting other attacks with bigger financial motives. It could also have been plain old political hacktivism, cyber vandalism or some other fraud.
Sophos experts have been studying and reverse engineering IoT devices for years now, revealing how vulnerable they are to compromise. Many have asked why CCTV/DVR cameras represent the majority of devices used in the Dyn attack. Other devices are exposed and vulnerable in the same way, so this attack shows only the tip of the iceberg of potential devices cyber criminals could leverage for attacks.
You might be asking, but what can we do? Well there’s plenty we can do, and the steps to protection are simple. First, it’s critical manufacturers take note of this and take action, with steps such as eliminating default passwords and ensuring devices can be remotely and automatically updated against security threats, to help prevent this type of event recurring.
And on a user level, it’s vital that owners of smart TVs, lights, thermostats, routers, baby monitors and other internet connected devices keep the software on their devices up to date and immediately change the default passwords to something unique. Here’s a tip – you can write your new password down so you can remember it, just be sure to change it from the factory setting. For businesses, make sure employees are asking for permission from IT before connecting IoT devices to the work network. Otherwise they could be opening a window for attackers to see into the organizations, steal data and perform illicit surveillance.
It’s ok, we know everyone loves to play with gadgets. But if you are going to play with the IoT, better play safe, than sorry.
Chester Wisniewski, principal research scientist from Sophos