Tackle Vulnerabilities in the Internet of Things
There are a huge number of vulnerabilities within poorly secured Internet of Things (IoT) devices which have been exploited in the numerous recent cyber attacks. The usage of IoT devices has been flourishing – thanks to the development of wireless technologies, cheaper electronics, advancement in microelectronics and high-speed Internet. IoT technology is used in a variety of devices such as for security cameras, IP cameras, home routers, VOIP devices, printers, weather sensors, vehicles, smart homes, electronics, actuators, and other devices. IoT facilitates inter-networking of physical devices. Such devices can be controlled from remote through the Internet.
Deadly Mirai Botnet Attack
Cyber criminals have exploited vulnerabilities in the increasingly connected world to enroll/hijack these devices and operate them under their control. The deadly Mirai botnet attack and the Sony IP device attacks demonstrated the drastic consequences and the huge economic cost that such attacks can have. Both these attacks involved enrolling IoT devices into a botnet and using them to unleash large- scale DDoS (Distributed Denial of Service) attacks.
Since the public release of the Mirai malware code, several versions had cropped up and some had even been successful against nation states (attack against Liberia). The IoT devices belong to many prominent vendors, and their lax security policy had led to the exploit and resultant attacks.
IoT devices have to be secured. The basic vulnerability is retaining the default administrator password for these devices. This has been found to be the major culprit in most attacks. It is strongly recommended to immediately change the default password. However, the attacks reveal that scant regard has been given to this security factor.
While most devices allow the password to be changed, some devices have the administrator password hard-coded into the device. Such devices are the favorite target of bot net masters. Some cyber security experts have raised the fear that such hard-coded passwords could be intentional, and thus serve as a base for DDoS attacks.
Poorly-protected devices and weak security protocols have allowed these attacks. In one such attack, over 70 different models of Sony IP cameras had been targeted and enrolled into the botnet.
Securing IoT Devices
-
Change the default administrator password
-
Use a strong password policy – use a mix of uppercase and lower case alphabets, numerals, and special characters
-
Longer password ensures better security
-
Use passphrases if allowed
-
Do not use easily guessable passwords
-
Do not purchase IoT devices with hard-coded passwords
Responsibility of Manufacturers
IoT device manufacturers must become more responsible. They must
-
enable mandatory change of the administrator password
-
allow framing of strong passwords and passphrases
-
Not hard code passwords
-
update firmware to thwart latest attacks
-
release security patches when necessary
Following such basic precautionary measures could help safely enjoy the benefits of IoT devices.