How to Tackle Vulnerabilities in the Internet of Things
There are a huge number of vulnerabilities within poorly secured Internet of Things (IoT) devices which have been exploited in the numerous recent cyber attacks. The usage of IoT devices has been flourishing – thanks to the development of wireless technologies, cheaper electronics, advancement in microelectronics and high-speed Internet. IoT technology is used in a variety of devices such as for security cameras, IP cameras, home routers, VOIP devices, printers, weather sensors, vehicles, smart homes, electronics, actuators, and other devices. IoT facilitates inter-networking of physical devices. Such devices can be controlled from remote through the Internet.
Deadly Mirai Botnet Attack
Cyber criminals have exploited vulnerabilities in the increasingly connected world to enroll/hijack these devices and operate them under their control. The deadly Mirai botnet attack and the Sony IP device attacks demonstrated the drastic consequences and the huge economic cost that such attacks can have. Both these attacks involved enrolling IoT devices into a botnet and using them to unleash large- scale DDoS (Distributed Denial of Service) attacks.
Since the public release of the Mirai malware code, several versions had cropped up and some had even been successful against nation states (attack against Liberia). The IoT devices belong to many prominent vendors, and their lax security policy had led to the exploit and resultant attacks.
IoT devices have to be secured. The basic vulnerability is retaining the default administrator password for these devices. This has been found to be the major culprit in most attacks. It is strongly recommended to immediately change the default password. However, the attacks reveal that scant regard has been given to this security factor.
While most devices allow the password to be changed, some devices have the administrator password hard-coded into the device. Such devices are the favorite target of bot net masters. Some cyber security experts have raised the fear that such hard-coded passwords could be intentional, and thus serve as a base for DDoS attacks.
Poorly-protected devices and weak security protocols have allowed these attacks. In one such attack, over 70 different models of Sony IP cameras had been targeted and enrolled into the botnet.
Securing IoT Devices
Change the default administrator password
Use a strong password policy – use a mix of uppercase and lower case alphabets, numerals, and special characters
Longer password ensures better security
Use passphrases if allowed
Do not use easily guessable passwords
Do not purchase IoT devices with hard-coded passwords
Responsibility of Manufacturers
IoT device manufacturers must become more responsible. They must
enable mandatory change of the administrator password
allow framing of strong passwords and passphrases
Not hard code passwords
update firmware to thwart latest attacks
release security patches when necessary
Following such basic precautionary measures could help safely enjoy the benefits of IoT devices.
Julia Sowells92 Posts
Julia is a security geek with almost 5+ years of experience, writes on various topics pertaining to network security.