In 1982, a Coke machine at Carnegie Mellon University was modified to connect to the Internet and report inventory and temperature status. In 1985, the first alleged use of the term “Internet of Things” was by Peter T. Lewis before a technical panel organized by the FCC and U.S. Department of Commerce Minority Enterprise Telecommunications Seminars. It is only in recent years, however, that the Internet of Things, or IoT for short, has really taken off and influenced our daily lives.
While it is easy to see the appeal of connected thermostats, garage door openers, refrigerators, vending machines, HVAC systems and light sensors (among many other things), the problem arises when the implementation of features and acquisition of market share take precedence over user security. Many are aware of the reports describing and demonstrating recent vulnerabilities, such as the disabling of brakes and steering, associated with constantly connected vehicle computer systems, but the exploitation of IoT devices doesn’t seem to be getting the same media attention even though the impact to companies and individuals can be quite large. For instance, a college network of over 5,000 Internet-connected devices was recently comprimised and used to cripple the network and restrict service. Another example is the record-breaking distributed denial-of-service (DDoS) attack of the website belonging to reporter Brian Krebs, where a botnet of compromised IoT devices called Mirai was used to flood the website with up to 620 Gigabits of traffic per second. The attack on Brian’s website was so devastating that Google had to step in and provide their own DDoS protection service that is normally reserved for much larger sites. If this attack was not bad enough, the source code for Mirai was later released online where others can download it and create their own botnet of unprotected IoT devices.
If these attacks can be done right now, where the install base of IoT devices in 2016 was estimated around 7 billion, imagine what can be done if the install base reaches the estimated 20 to 50 billion by 2020. While there will always be vulnerable devices, there are some steps an individual or business can take to limit the exposure and vulnerability associated with any IoT devices in use on the network. The first step actually comes before the device is purchased. It will cost more money in the end, but the user should perform research and try to purchase equipment from a reputable company where the risk of backdoor connections and hard-coded default credentials is lower. Please note that even large companies sometimes fail the end user, as was the case recently when Vizio was caught collecting and sharing user data without consent, but these name brand devices typically ship with stronger security settings. The second step is to ensure any IoT devices are segregated from any critical or business network devices. If an Internet-connected camera, thermostat, or other device must be in use, it should be on a completely separate Internet connection or, at minimum, logically segmented from the network through a VLAN. The third step, which is equally important as the second, is to change any default passwords that ship with the device and implement a long, strong password to help prevent brute force attacks. This might not totally prevent the use of the device for nefarious means, but changing credentials from the username of “admin” with no password to a unique username and strong password (hint: not “user” or “password1234”) will greatly decrease the susceptibility of the device itself.
In summary, the Internet of Things is here to stay and rapidly growing. Companies are quick to push out products but slow to implement proper security. While taking the steps listed above will help prevent a shiny, new fridge from ending up in a botnet, it might be a good idea to determine if a fridge that is always connected to the Internet and can monitor spoilage is truly necessary.
Daniel Lindley is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and Tandem software, used by over 1000 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com.