IoT security lacking and used for DDoS attacks

Next story

Put simply, Internet of Things (IoT) are items embedded with electronics, software, sensors, and have network connectivity. This enables these objects to collect and exchange data, connecting to other devices over the internet, allowing for communication between applications and other appliances.

Image

IoT includes household appliances such as Smart lights, Smart home heating and energy, and even Smart fridges. The internetworking of physical devices allows objects to be controlled remotely across existing network infrastructure. This means, for example, your Smart Fridge texts you when you run out milk, or it is past its expiry date.

IoT is rapidly appearing everywhere, but security and privacy of your personal data that is collected by these IoT machines needs to be considered. Mark James, ESET IT Security Specialist, offers an industry expert insight to IoT and the recent DDoS attacks.

“Because so many of our IOT devices are designed to be configured by the end user, there has to be a good degree of usability: it needs to be easy to setup, easy to integrate and easy to remotely manage.

“This all comes at a price: if the devices are too hard for the average user to manage then its uptake will be significantly slower than competitors.

“In light of the recent DDoS attacks through IOT devices, one thing has come to light: it’s not the device itself that’s necessarily the problem, sadly as usual it’s the end user.

“When these devices leave the warehouse they all have the same username and default password, and in the excitement of getting it all setup and working, sadly the thought of changing credentials that will be available for all and sundry to find on the internet, are left behind.

“Maybe the way forward is to force users to change the default password after the first initial login.

“With so many devices being available at varying costs, and consumers always looking to adopt new emerging technologies for the least amount of money, there will always be costs cut in the making of those products.

“Sadly, the only way of making our IoT devices safer is to design the security into these devices from day one, and it needs to be viewed as a feature not as an afterthought like so many are.

“Of course the biggest thing to take away from all of this is the importance of changing default passwords; even a small change could be sufficient to stop an automated program from taking control of your device and wreaking havoc worldwide.

“It’s much harder to target a specific IoT device as certain information needs to be known before hand, mainly its IP address. That being said it’s not difficult these days to find that information, then check to see if the relative port is open then instigate the attack.

“It’s interesting to see IoT’s failing at the same hurdle PC’s were decades ago with default or guessable credentials, lack of patching, and other easily fixed security issues.

“In some areas we evolve at phenomenal rates but sadly security does not seem to be one of them, and what’s worse is that we know how to avoid or fix these problems, but there seems to be lack of interest to do so.”


How many IoT devices do you use? Let us know on Twitter @ESETUK


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.