The Internet of Things (IoT) is under attack, and really, it was only a matter of time. Many of the devices that make up IoT are remarkably unsecure, and in January, ZDNet predicted that a major IoT security breach was going to happen within two years, quoting James Lyne, global head of security research at Sophos:
The only reason these flaws aren't being exploited right now is that hackers currently have little interest, even though these devices are ‘trivial’ to attack, he [Lyne] said. . . . Very soon, we're likely to see a big breach. It's quite probable that some really shiny, cool, new product is going to come along in the next year which will see massive adoption by consumers and enterprises. When that happens, I think attacker interest will rise.
The hackers have developed an interest, and IoT is now an attack target. Reports claim that the Mirai IoT malware has now infected almost half a million IoT devices. Also, another piece of malware called Bashlight has infected upwards of a million IoT devices. These infected devices are being used as botnets to create DDoS attacks, most notably against the KrebsonSecurity blog.
As ITPortalPro reported, this malware takes advantage of the poor security on IoT but also the poor security practices of IoT users by using the default usernames and passwords that are supposed to be used only for setup and then changed. But too many of us aren’t changing these defaults, and that’s putting us all at risk. Why? As the article reported, studies show that it takes only six minutes for an IoT device to become infected after connecting to the internet.
As Cesare Garlati, chief security strategist at the prpl Foundation, said to me in an email comment:
The new data confirms the importance of securing IoT devices to prevent massive DDOS attacks. It also confirms the low level of sophistication of the exploit: mainly common/default user ID and passwords. I am afraid advanced hardware security technology can do nothing to protect from negligence or plain stupidity.
Garlati suggested that one possible solution is to ban the sale of any connected devices that ship with standard/default/no passwords. He also added that regulators should step up and force ISPs to temporarily block IP addresses known for being part of active botnets. He concluded:
In the end this is no different than stopping a vehicle with broken tail lights to prevent accidents on a highway. There is no need for new technology to block this kind of unsophisticated attack, just a good dose of common sense.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.