Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet, as hackers build vast networks of Internet of Things1 devices to bombard websites with traffic. The attack on Dyn, a domain name service provider, that disrupted access2 to high profile sites such as Twitter, Spotify and the New York Times3 on Friday, highlighted the risks posed by the billions of devices connected to the internet with little or no cyber security protections . Unidentified hackers took over tens of millions of devices using malicious software called Mirai, making the attack much more powerful4 and harder to defend against than the average distributed denial of service attack. In a rush of excitement about the prospect of controlling houses and office buildings from smartphones changing the temperature or detecting burglars using cameras many manufacturers with little experience of cyber security have connected devices to the internet.
Regulators have not yet created clear rules on how they should be protected and even businesses are finding well meaning suppliers or facilities managers have accidentally created holes in their corporate networks by adding connected devices. Michael Sutton, chief information security officer of Zscaler, a cloud security company, said Friday s attack would be a wake-up call for the hardware industry.
Security in the hardware industry is a decade behind where it is in the software industry, he said . Mirai was successful because so many webcams, digital video recorders, etc have been produced with default passwords that have never been changed . A simple internet scan identifies them and they can quickly be compromised.
Cyber security experts have been warning about the risk of Internet of Things devices for years, staging high profile hacks at their annual conference Def Con that show how everything from connected cars5 to insulin pumps6 could be hacked . But often it has been hard to see why a cyber criminal would target an individual s device, unless to expose the activity of a person in the public eye or cause harm to a political figure . This attack showed even if a connected device is not necessarily a huge threat to its owner, it could be used maliciously to attack others.
20bn
Estimated number of connected devices in the world by 2020 (Source: Gartner)
Gartner, the research firm, forecasts there will be over 20bn connected devices in the world by 2020 with consumers spending $1,500bn on the Internet of Things and businesses spending almost as much . The research firm predicts that more than a quarter of attacks on companies will involve connected devices by 2020, but enterprises will only spend 10 per cent of their cyber security budgets on protecting against these types of attacks. Jeremiah Grossman, chief of security strategy at SentinelOne, a Silicon Valley-based cyber security company, says more attention to the problem of insecure devices is long overdue . Device makers should force users to change their default passwords as part of the set-up process and issue security updates, just as they do on PCs, he said . Installing an agent that can monitor what the device is doing would have showed the very anomalous behaviour when it was recruited to a botnet, he added.
Regulating the industry is almost impossible , Mr Grossman added, because the companies connecting devices to the internet do not fit in any one category: stretching from makers of smart TVs to medical device manufacturers. Some regulators have taken a look at the potential threat, with the US Food and Drug Administration, which oversees the manufacturers of pacemakers7 and other medical equipment, issuing draft guidelines earlier this year for how hospitals and manufacturers should monitor devices for vulnerabilities and deploy updates.
Related article
Image may be NSFW.
Clik here to view.
Attack on company with fewer than 500 employees causes massive disruption
Shuman Ghosemajumder, chief technology officer at Shape Security, agreed it is tough for regulators to solve the problem as security challenges are constantly changing when hackers develop new techniques . But he said they should be responsible for setting minimum expectations and norms .
The industry as a whole needs to do a better job . There s no question that the growth of the Internet of Things has been fuelled by the excitement around the internet connection enabling new functionality and security has taken a back seat, he said.
However, he added that potential targets, such as Dyn, a domain name services provider which many major companies rely on to provide access to their sites, also need to improve their security and better protect themselves from these ever-expanding botnets. Dyn said in a blog post8 on Saturday that it was watching out for any further attacks and working with law enforcement agencies and others to investigate who was behind the attack . The number and type of attacks, the duration and the scale, and the complexity of these attacks are all on the rise, said Kyle York, chief strategy officer. Mr York said because of the customers that relied on it Dyn was often the first responder of the internet .
But as the internet grows larger, bringing in thermostats, lightbulbs and baby monitor, sending in the paramedics just got even harder.
Sample the FT s top stories for a week
You select the topic, we deliver the news.
References
- ^ Internet of Things (www.ft.com)
- ^ disrupted access (www.ft.com)
- ^ New York Times (markets.ft.com)
- ^ more powerful (www.ft.com)
- ^ connected cars (www.ft.com)
- ^ insulin pumps (www.ft.com)
- ^ pacemakers (www.ft.com)
- ^ blog post (hub.dyn.com)