IoT: You become responsible for what you have deployed

Who is responsible when connected devices go on a crime spree?

Last week saw a massive DDoS attack aimed at Dyn, a major DNS provider. The attack disrupted a great many network services of global importance including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, and SoundCloud. But perhaps the most interesting thing about this attack was that it used the Internet of Things (IoT).

The problem is twofold: Connected devices are currently inherently vulnerable, and their owners take a lax approach to cybersecurity.

To sum up the attack: Mirai malware infected the firmware of IoT devices, made the devices into a botnet, and used the botnet in a distributed-denial-of-service (DDoS) attack that took down Dyn. The malicious technique was not sophisticated at all; the criminals exploited default passwords and logins, which are hardly top secret. In other words, this method works on devices that use common defaults that cannot be changed manually and those whose owners never bothered to reconfigure default settings.

The former problem is the fault of manufacturers. The latter rests with owners.

Mirai surely co-opted the IoT devices of home and corporate users alike. Although we can’t necessarily influence the former, we will say that corporate IoT users really must secure their devices. Ensuring IoT security is a big-picture move: If we all change the default passwords of IoT devices, attackers will find their botnets greatly diminished. File that under basic social responsibility.

Don’t call it hindsight, though: After Mirai’s infection of IoT devices, we will see spyware authors taking advantage of the same method.

Our recommendations:

  • Audit IoT devices within your infrastructure;
  • Change any default settings you find (especially common in medium and small companies using consumer-level routers);
  • Enable secure passwords everywhere.

Security is everyone’s business, so do your part to help keep the world safe.