The Internet of Things (IoT) has been hitting the news headlines recently and last Friday the world discovered just how vulnerable they can be. A network of devices including webcams and baby-monitors were hijacked by a hacking botnet which by initializing a Distributed Denial of Service (DDoS) attack brought down many of the websites we all use as part of our daily lives, including Twitter and Paypal.
But what is a DDoS attack and why are connected IoT devices a key part of this enormous cyber-security disaster?
A Denial of Service (DoS) is a cyber attack where the hacker seeks to make a machine, network or website unusable. Most are achieved by flooding the target with huge numbers of requests to overload systems and prevent it from working. The added D at the front of DDoS stands for distributed, referring to the practice of using many, often thousands of unique devices as part of the attack. Hacked IoT devices make for great DDoS tools as many are shipped with insecure default settings, default passwords and easily exploitable code.
Consumers don’t spend much time thinking about the security of their connected baby monitors, fridges and lightbulbs. They often aren’t even aware that they can be hacked. It is therefore unsurprising that most people don’t realise that just like computers and smartphones, IoT devices require updates to keep them safe from hackers.
Companies and governments are finally waking up to these problems and beginning to realise they need to do more to inform consumers. Following a one-day Internet of Things security session organised by the US government, a group of major tech firms ranging from AT&T to Microsoft has agreed to work on raising awareness of IoT device security.
One issue discussed was the need to inform consumers about how long a device was safe to use. With regular security updates needed to protect devices, consumers often use insecure devices, not realising they are unprotected and easy to hack. Following the meeting, the manufacturers have provisionally committed to updating and patching devices for a set number of years, with the date stuck on the box in much the same way as food or medicine.
In the press today we see that one Chinese firm is taking measures to ensure that passwords for their devices aren’t automatically generated. This is one of the most obvious risks to IoT devices and one which consumers routinely ignore, changing the password for any connected device instantly offers a level of security which is the equivalent of buying a lock for a door.
Big Brother Watch has long called for firms to install privacy and security by design into connected devices. Rather than seeing privacy or security as a dirty word or as an inhibitor to innovation, we have argued that by taking these two key requirements into consideration right at the start of the design process companies can do the following;
As Christmas looms and the lure of IoT or “smart” devices are considered as gifts for the family, we hope to see companies give far more detail about how they are to secure these shiny new devices so they don’t become a target for hackers.