Hacks involving teddy bears, refrigerators and televisions? Welcome to the new darling of cyber criminals – Internet of Things (IoT) devices.
It may seem absurd to think that someone would want to hack your blender or thermostat. But there’s a reason behind these new attacks – malware can turn these devices into “bots,” forcing them to report to a central server, which can then be used as a staging ground for launching DDoS attacks designed to knock web sites offline.
Security experts cite two dominant strains of malware being used in IoT hacks – Bashlight and the Mirai worm. Both of these malware families infect systems via default usernames and passwords on IoT devices, enslaving IoT devices in a botnet for launching crippling online attacks. The Mirai worm was used in an attack last September against KrebsOnSecurity, knocking the site offline for four days.
How are IoT hacks happening?
Dahua, the world’s second-largest maker of “Internet of Things,” provides a good example of how hackers are getting into these devices. According to Brian Krebs:
Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.
Dahua’s breach was discovered by security researchers, exposing an “embarrassingly simple flaw” in the way many Dahua cameras and DVR’s handled authentication. The vulnerability allowed anyone to bypass the login process for the devices, gaining remote, direct control over vulnerable systems.
The report comes just after another major Chinese IoT firm, Hikvision, came under fire for weak and vulnerable firmware on their security camera and DVR devices. In Hikvision’s case, security experts had been “warning that there were signs of attackers exploiting an unknown backdoor in cameras and DVR devices.” This warning came after the security experts heard from many users that they were locked out of their devices and had new user accounts added without their permission.
Despite weak security, IoT expands
There are a lot of potential problems with IoT devices, but as we continue to see more IoT hacks, the most prevalent issue is security. Security experts believe that for most IoT companies, security is an afterthought that is not given enough energy, time and money – which is exactly why the devices themselves shouldn’t be trusted. And with everything becoming connected – from light bulbs to refrigerators to pet feeders – it will only continue to be a challenge to keep those devices secure.
IoT devices are hard to secure. For the sake of usability, they often have weak security. Connecting to an internet-connected light bulb using two-factor authentication and a strong password would be a pain, so instead, they use simplified defense systems that are easy to subvert. Out of the box, a light bulb broadcasts a single Wi-Fi signal and asks you to connect to it and enter your Wi-Fi network information. If a hacker has good timing and is close to your house, they could easily spoof that light bulb to get your Wi-Fi login. The scenario is rare, especially considering how close they’d need to be. That distance is already expanding though, including one light bulb hack that the The New York Times reported worked from up to 229 feet away.
Even though IoT security is lacking, new IoT devices are entering the market at a rapid pace. In fact, a recent study by Zebra Technologies shows that 70% of retailers plan to invest in IoT technologies in 2017.
Retailers are doubling down on their commitment to bridge the online and offline shopping experience in 2017, with 70% investing in IoT technologies and 90% planning to spend on installing in-store mobile devices, kiosks, and tablets – citing a desire to “increase payment options, speed check-out lines and improve the overall customer experience” as the motivation behind the investments.
As retailers and consumers invest in IoT – how do we shape the future of IoT and keep it secure? Well, it may get worse before it gets better.
According to FICO’s “17 Financial Crime Predictions for 2017,” due to the lack of security features in web-connected devices, cyberattacks using hijacked IoT devices will increase in 2017. The report said that it is a “great deal easier” to create an IoT botnet than to compromise personal computers. In addition to common connected consumer devices, including smart phones, tablets and web cameras, the FICO report warned that internet-connected vehicles and self-driving cars can present “serious security threats that are very real, impacting not only data but physical safety.”
IoT – one city’s approach
A recent Gartner study estimates that by 2020, there will be 25 billion smart devices transmitting data to us (the device users) and to the cloud. These devices are changing the way we live and work, affecting every facet of our lives from the vehicles we drive to the light switches in our homes.
Some cybersecurity experts, like San Diego’s Chief Information and Security Officer, Gary Hayslip, understands the depth and importance of IoT security. In February, San Diego Mayor Kevin Faulconer announced one of the largest city IoT networks in the nation — 3,200 streetlight sensors to monitor air, traffic and pedestrian safety at intersections. With another 3,000 sensors scheduled to go up soon, Hayslip said IoT can’t be left unsecured.
Taking a comprehensive approach to securing the city’s IoT infrastructure, Hayslip implemented techniques that help to reduce risk and reinforce a defense strategy, shielding San Diego from the half million attacks that are attempted on their networks each day.
“What I realized was that the city is really a $4 billion business with 1.3 million customers and many departments,” Hayslip said. “This made me really flip the way I looked at security, because it requires a different approach. Here I don’t have one network — I’ve got 24 networks, 40 departments and they don’t have to listen to me if they don’t want to.”
Hayslip used his first six month on the job to conduct meetings, department visits and inventory assessments to learn his offices’ priorities and how he could collaborate. His outreach was also about education, explaining why security mattered and how it could directly aid staff. Through this process, Hayslip learned what technology was important to them, as well as what data was created and who had access to it.
The end result has been new partnerships and relationships that have empowered San Diego’s cybersecurity teams to innovate with startups and share the same vision for a cybersecurity roadmap that protects citizen data.
Don’t wait for a breach to happen – secure your data now
Though IoT is still an emerging technology, Hayslip said cities should be experimenting with different security measures as they develop, instead of waiting for a major incident to respond.
And with 1,093 recorded data breaches reported in 2016, involving more than 35 million consumer records, Hayslip’s “act instead of waiting” philosophy is one that IoT corporations need to adopt as well.