On October 21, 2016, the US suffered a massive DDoS (Distributed Denial of Service) attack which disrupted internet activity large parts of the day. The main target of the attack was the Domain Name System (DNS) run by the company Dyn. What is surprising, however, is that the attackers were able to use the weak security systems on most Internet of Things (IoT) devices to accomplish this DDoS attack.
IoT devices are becoming more and more commonplace in many homes. They are technically all non-computing devices that you interact with on a daily basis. These include light bulbs, thermostats (think Nest), door locks, refrigerators, and even cars. IoT devices work by connecting directly with other IoT devices in order to help business and people.
These devices work without human input in order to manage activities and acquire data patterns about their humans in order to provide better services.
Because they are getting more ubiquitous, it is alarming that the Dyn DDoS attack in October was on such a large scale. Although alarming, it was also unsurprising. IoT device manufacturers are creating these useful items faster than their privacy and security can keep up with in terms of providing adequate measures.
For this reason, the Broadband Internet Technical Advisory Group (BITAG) has recently published a new report that helps develop best broadband network management practices.
The report focuses on the security vulnerabilities that are apparent on many IoT devices. Most specifically, once one device is infected with malware, it is relatively easily to spread spam and DDoS attacks to the other connected devices.
The most popular vulnerability that comes with these devices (and a major cause for the Dyn DDoS attack) is that most devices come with default usernames and passwords. These details are widely known and a lot of the information can be found online by looking up the device make and model.
What happens is that, although manufacturers strongly recommend users change these default login details, most users do not. Because they are eager to begin using these IoT devices immediately, they forego an extra step in the setup and leave themselves vulnerable to attacks. There are even free ways to search and identify unprotected IoT devices. That’s why changing the default login details and making sure to create a strong password is extremely important.
Another point of criticism from the report is the lack of updates that are deployed to the devices after the initial sale, as well as strict security and privacy measures throughout the IoT supply chain. If the devices ship out with outdated software, or software with bugs, these devices will then become more vulnerable to attacks.
Another aspect the report points out is that many IoT devices communicate amongst each other with simple cleartext, rather than using any encrypted formats. This means that any snooping eyes or ears may be able to easily intercept and steal this information.
For IoT device users, the most common recommendation is to change usernames and passwords on these devices as soon as they come out of the box, or anytime after that. This will help to minimize the possibility of another widespread DDoS attack, which is in all likelihood being planned as you are reading this.
As IoT devices continue to gain in popularity, newer and better privacy and security systems will be put into place. Until then, however, it is best to remain vigilant and keep your private information private.