Why Threat Prevention on IoT Devices is Almost too Hard…

June 12, 2017 | Views: 2896

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

The Mirai botnet was responsible for the October 2016 attack that brought down much of our internet. The victim was Dyn, a company that provides DNS service. Distributed Denial of Service (DDOS) caused the outage, and up to 100,000 malicious endpoints were used for the attack. The malicious “endpoints” were IoT devices – digital cameras and DVR players that were connected to the internet.

What made the attack so easy to execute was the 1) availability of IoT devices with default username and passwords (some were hard coded) which could easily be compromised and 2) availability of DDOS tools. Yet the attack was not as easy to try to prevent because of the massive scale of the attack. Brian Krebs mentions in a recent post about the availability of VDOS for hire, which is “virtual hired muscle that can be rented to knock nearly any website offline.”

How could this have been prevented? What can we do in the future? The standard guidelines for defense against DDOS include:

          disabling unnecessary services

          using anti-malware

          enabling router throttling

          using a reverse proxy

          enabling ingress and egress filtering

          degrading services and

          absorbing the attack

 

The cryptographer, Adi Shamir, suggests; “The government should definitely do something about it – they should not allow devices which are not sufficiently secure to be connected to the public internet.” Bold statement but very true. Security is not something built into many IoT devices since that’s not what they are “designed for.” I mean logically speaking, why would a refrigerator need security measures built in? Well, if it has an internet connection, why shouldn’t it?

Question: How do you prevent this? What’s to stop me from connecting anything to the internet?

To begin with, we need better quality control. Period. Any device with hardcoded credentials should not be allowed into the market. That should solve 50% of the problem. The other half can be addressed by user awareness, better software, regular device updates. If my Android phone can be connected securely to the internet, so can my camera or DVR.

What are your thoughts or plans for improvement? Comment below, please.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Manufacturers should make the very first step after you turn on the IoT device is to setup a strong password, just like when you install an OS

  2. It seems that with the growth of the IoT, we will inevitably face some SERIOUS repercussions. Malicious attackers will always be one step ahead in any area of cyber, the question is how small of a step we can keep it at, especially with the new systems and technologies coming into the market…

  3. A very thoughtful article, thanks 🙂 +10

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel