Source: Malwarebytes by
In 2016, threat actors pulled off a basic but devastating botnet attack that harnessed the power of the Internet of Things (IoT).
After gathering a list of 61 default username and password combinations for IoT devices, threat actors scanned the Internet for open Telnet ports and, when they found a vulnerable device, gained entry, eventually amassing an army of IoT devices to launch a massive DDoS attack.
This was the Mirai botnet attack. Though it began as a simple get-rich-quick scheme involving, of all things, the popular video game Minecraft, it led to a widespread Internet outage on the US East Coast.
In terms of ingenuity, the attack was fairly crude. There was no social engineering element and no clever attack machinery.
But if that kind of rudimentary attack destabilized an entire region’s Internet, what would a focused IoT attack do instead? And what types of IoT security are protecting users today?
Last month, for Cybersecurity Awareness Month, Malwarebytes hosted multiple educational webinars and cybersecurity training sessions for its employees, offering advice on strong password creation, two-factor authentication, and how to spot a phishing email.
In our final week of Cybersecurity Awareness Month, we hosted a live version of our podcast, Lock and Code, for our employees. In the episode, (which you can listen to in full here) we spoke to John Donovan, chief information security officer for Malwarebytes, and Adam Kujawa, security evangelist and a director of Malwarebytes Labs, about the future of cybersecurity for the Internet of Things.
What we learned was interesting enough to present to our audience in both our podcast and, today, as a blog on Malwarebytes Labs.
Crucially, the future of cybersecurity for IoT devices is not separate from the future of cybersecurity for all devices. In fact, as our use and reliance on IoT devices shifts from general convenience to full integration into daily routines, the two concepts may very well merge.
Here’s what is keeping us safe today, and what we can expect to keep us safe tomorrow.
IoT non-standardization: Boon or burden?
Perhaps non-intuitively, IoT devices are currently protected by the exact same infrastructure that leaves them vulnerable—they are not standardized. That means that many IoT devices out there today, from smart fridges to smart speakers to smart watches, are often built on different parts that run different operating systems that rarely, if ever, talk to one another.
From one perspective, that’s good, Kujawa said.
“Right now, the best security we have for IoT devices is that [development] isn’t standardized yet,” Kujawa said. “There are lots of different devices using different platforms, on different frameworks, with different protocols in some cases, and that confusion makes it difficult to do things like develop a serious security threat to these devices.”
From another perspective, though, this same non-standardization presents a threat to effective IoT security solutions.
“It also works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device,” Kujawa said.
Until that standardization arrives, Donovan said that a lot of IoT device cybersecurity hygiene falls to the users themselves. Donovan and Kujawa offered several best practices that consumers should be able to implement today, no matter their level of tech proficiency:
- Change the default password on your IoT devices
- Do not connect your IoT devices to networks you do not trust
- Stay informed about any reported vulnerabilities for your devices
- Update your devices
These four steps will better protect your IoT device from harm because, as we learned from the Mirai attacks, cybercriminals are primarily looking for easy targets. Think of it like actual burglary attempts: Thieves don’t often go looking for padlocks to try and pick, they look for doors that are unlocked.
Beyond these basic steps, Donovan noted that the lack of IoT standardization has created a higher bar for some users to fully secure their own devices and networks.
“All the things you would do to secure a corporate network? Now you have to do it in your house,” Donovan said. That includes several security best practices like segregating individual IoT devices and setting up a virtual LAN—or VLAN—to isolate IoT devices from the rest of a network.
No matter the level of tech proficiency, though, there’s more to cybersecurity than personal responsibility.
Donovan said that IoT developers should include automatic security updates by default. No automatic updates often result in no meaningful cybersecurity, and that goes for any popular device or software.
Where the problems really start to compound, though, is in the corporate world.