Hacks Lead to Frustration, Doubt in IoT Security Schemes

Enough with the security breaches that leverage Internet of Things (IoT) devices and home Wi-Fi routers. The latest attacks on major websites clearly shows that the current schemes for locking down these connected devices are broken.

A quick recap of what happened on October 21 illustrates the problem. A double-dip distributed denial-of-service (DDoS) attack caused outages for some of the leading Internet destinations such as Twitter, Amazon, Tumblr, Reddit, Spotify, and Netflix. The attacks were pinned on a cyber criminal, or criminals, who used the Mirai malware, the same malware that took down sites in September. This malicious botnet searches the Web for IoT devices such as CCTV video cameras, digital video recorders, or Wi-Fi routers that still have factory-default usernames and passwords in use for protection. Such vulnerable devices are then organized to send junk traffic to online websites that eventually crash from the huge volume of traffic coming from multiple devices, sometimes in the hundreds of thousands or millions.

Outages Caused by Mirai Malware on October 21, 2016

(Source: Downdetector.com)

This latest attack caused the US Department of Homeland Security (DHS) to hold a conference call with 18 major communication service providers to develop a new strategy for securing IoT devices. DHS officials said its National Cybersecurity and Communications Integration Center is coordinating with police, private firms, and researchers to better fend off future attacks that exploit the mushrooming number of IoT devices.

Two of the hardware manufacturers involved in the attacks have said they would take steps to reduce the risks from such attacks. Chinese firm Hangzhou Xiongmai Technology, which makes surveillance camera components, said it was recalling some of its products sold in the United States. Dahua Technology, also a Chinese company, said some of its older cameras and video recorders are vulnerable to attacks when a user has not changed default passwords. Dahua is now offering firmware updates from its website to fix the problem, and is offering a discount to customers who want to exchange their device.

These are positive, after-the-attack steps, but the damage done still leaves a cloud hanging over the IoT trend, particularly among consumers. A new survey finds 40% of respondents saying they have no confidence in the safety, security, or privacy of connected devices such as web-enabled thermostats or appliances, according to IT security firm ESET. Moreover, more than half of respondents indicate they are discouraged from buying IoT devices because of cybersecurity concerns.

Success Hinges on Promise of Security

I still count myself among the many proponents of the IoT. The world of connected devices, systems, and services promises many helpful applications and use-cases that benefit users, particularly in terms of energy efficiency and convenience. However, the constant drip of hacks and the misuse of connected devices needs to stop. The vendors involved need to do a better job of securing the devices and helping end users to do the same. Otherwise, the promise of an IoT market will not be met, and the lost opportunity could mount to millions or billions of dollars. Security needs to come front and center for all parties. If the IoT trend is of interest, Guidehouse Insights has just launched a new IoT research service that is worth checking out.