There’s a running joke among security experts that the best way to stay safe online is to go offline. When it comes to the Internet of Things (IoT) and the extremely poor security surrounding most of these devices, this joke may be closer to reality.
Over the past few years it’s been painfully obvious that connected gadgets have weak protections against cyber attacks. Whether that’s directly through their design, the lack of a way to change the default passwords or lack of passwords altogether, open ports and so on, countless IoT devices have been hacked.
One of the most widespread reasons hackers attack IoT devices, taking advantage of the poor security, is to turn them into key components of their botnets. These botnets are then used to spread phishing campaigns, malware, or to aid in various other attacks that require a lot of power.
The Mirai botnet, for instance, was used to DDoS attack a key Internet domain resolution hub, which had a great impact on the availability of loads of websites. Other botnets were discovered too, like Persirai, which makes use of unprotected IP cameras,
There’s also the controversial Hajime botnet. What makes Hajime so uncommon is the fact that the author of the worm spreading to these affected connected devices claims to be a white hat. Basically, Hajime infects a device and closes down the vulnerable ports that are normally used by those behind other botnets like Mirai, Persirai and Brickerbot, to name a few. By doing this, the infected devices are immediately secured against further attacks. The controversial part of this whole thing is that Hajime can be weaponized at any moment. Given how it has “infected/saved” over 300,000 devices already, its power could be tremendous.
In short, hackers will take advantage of any Internet-connected device that is improperly secured, be it a router, TVs, cameras, toys, kitchen appliances, printers and so on.
Do we really need that IoT device?
While some of these devices are certainly worth being connected, others aren’t so important. For instance, just a few months ago, it was revealed that a sex toy featuring a camera was open to hackers. Teddy bears and dolls meant for kids were also vulnerable to hackers who could record people’s voices, snoop in on their lives. Kitchen appliances have been hijacked and made part of botnets. Although we live in an extremely connected world, perhaps a discussion should be had at where we draw the line, which devices we really need to have connected to the Internet, and which we could do without.
On the other hand, as specialists point out, we should all probably accept, sooner rather than later, that every little thing in our life will one day be connected to the Internet. That being said, more needs to be done to make sure that absolutely each and every one of these devices are hard to hack, if not impossible, and that safety checks are set in place.
The issue here is that if the IoT industry doesn’t reach a consensus regarding this important issue anytime soon, we’re going to see governments stepping in and imposing regulations. While government involvement in cyber security issues pertaining to private companies is normally frowned upon, it may not be such a bad thing in this instance.
Security guru Bruce Schneier recently said that this type of regulations are “coming.” No “but,” no “ifs.”
“There is a lot of worry that regulation will stiffle innovation, but if you look at history that is not the case. The real physical threat from the Internet of Things will force governments to act because we are talking about fear, and nothing makes a government do something like fear,” Schneier said on the topic during a conference held back in early June.
Schneier points out that the IoT industry can work to increase security by avoiding known vulnerabilities, avoiding insecure defaults and generally making their systems patchable, since that’s a major issue some devices have.
“My guess is that everyone knows that IoT regulation is coming, and is either trying to impose self-regulation to forestall government action or establish principles to influence government action. It’ll be interesting to see how the next few years unfold,” Schneier mentioned in a blog post from February.
Overall, this has been something that many security professionals, Schneier too, have been discussing for a long time. The conclusion among everyone is that something needs to be done. The question that remains unanswered is if the IoT makers will work towards self-improvement and industry-wide security regulations, or if the governments will have to strong-arm them into them.
It is in everyone’s best interest that this issue is resolved, sooner rather than later, because we are all at risk.