0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: Masood
June 12, 2017

Why Threat Prevention on IoT Devices is Almost too Hard...

By: Masood
June 12, 2017
By: Masood
June 12, 2017
 

The Mirai botnet was responsible for the October 2016 attack that brought down much of our internet. The victim was Dyn, a company that provides DNS service. Distributed Denial of Service (DDOS) caused the outage, and up to 100,000 malicious endpoints were used for the attack. The malicious “endpoints” were IoT devices – digital cameras and DVR players that were connected to the internet.

What made the attack so easy to execute was the 1) availability of IoT devices with default username and passwords (some were hard coded) which could easily be compromised and 2) availability of DDOS tools. Yet the attack was not as easy to try to prevent because of the massive scale of the attack. Brian Krebs mentions in a recent post about the availability of VDOS for hire, which is “virtual hired muscle that can be rented to knock nearly any website offline.”

How could this have been prevented? What can we do in the future? The standard guidelines for defense against DDOS include:-          disabling unnecessary services-          using anti-malware-          enabling router throttling-          using a reverse proxy-          enabling ingress and egress filtering-          degrading services and-          absorbing the attack 

The cryptographer, Adi Shamir, suggests; “The government should definitely do something about it - they should not allow devices which are not sufficiently secure to be connected to the public internet.” Bold statement but very true. Security is not something built into many IoT devices since that's not what they are "designed for." I mean logically speaking, why would a refrigerator need security measures built in? Well, if it has an internet connection, why shouldn't it?

Question: How do you prevent this? What’s to stop me from connecting anything to the internet?To begin with, we need better quality control. Period. Any device with hardcoded credentials should not be allowed into the market. That should solve 50% of the problem. The other half can be addressed by user awareness, better software, regular device updates. If my Android phone can be connected securely to the internet, so can my camera or DVR.What are your thoughts or plans for improvement? Comment below, please.

Join over 2 million IT and cyber professionals advancing their careers

OR REGISTER WITH

Google

Already have an account? Sign In »

Ready to Share Your Original Content?

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry