Last Friday, while I was cycling in mainland Europe and oblivious to it happening, there was a DDOS (Distributed Denial of Service) attack on Dyn, a US-based DNS (Domain Name Services) vendor, that brought down the services of AirBnB, Twitter, Spotify and others. While I was reliant on AirBnB for our accommodation that evening, the event went unnoticed.
What was remarkable about this event was that the Botnet that performed the attack was not made, as is the usual case, of poorly maintained and patched personal computers, but by IoT (Internet of Things) devices.
I have previously voiced my opinion about the poor security of IoT devices. While personal computers are supported by an eco-system of vendor support and third party applications to protect them from exploitation, the same is not true for IoT devices, many of which are designed and made in small shops in the Far East.
An example to illustrate this is that my wife bought me a helmet cam for my recent cycle trip. An object of beauty to look at. The helmet cam can be connected to a WiFi network and thence to the Internet. It came with some default software from a major IT player that was de-supported 2 years ago.
Many of the IoT vendors have been successfully making hardware gadgets for years, and are only now upgrading these devices to be internet enabled. The skills to harden the hardware and software against infiltration do not yet exist across the supply chain. There are not end-to-end software toolkits to help these hardware developers do a good job. IoT security is still very immature.
Until recently I had considered the main danger of the lack of security in IoT to be that these devices could be used to infiltrate our own networks and steal personal data. But now it is clear that they can be used for bigger things.
On a personal note to all who read this, recently a friend's firm had their network compromised and lost a lot of data as a result of access through an internet connected photocopier which still had its default userID and password. So please, go and check all the non-computer devices on your network and make sure that they have secure login credentials (printers, scanners, photocopiers, routers, etc. etc.). Don't wait.
Last Friday, some of the internet’s most popular websites – think Twitter, Airbnb, Spotify – were disrupted due to a massive hacking attack. There was nothing particularly new in the hackers’ method. Creating an overwhelming surge in traffic is known as a “distributed denial of service” (DDoS) attack, and has been around for years. Nor was there a huge amount of surprise that it had happened. Cybersecurity experts had warned for years that it was coming. What was noticeable, however, was the attack’s use of the so-called “Internet of Things”.