If you’ve never heard the term ‘Internet of Things’ (IoT), then don’t worry. It’s a relatively new phenomenon that describes the interconnectedness of everything to the Internet, from lightbulbs that can be controlled with smartphones to fridges can tweet.
The drive to connect everything to the internet is not just a mad quest to push the limits of technology. Some IoT devices have legitimate, life-changing applications (there’s potential for a $117 billion market for ‘smart’ devices in healthcare according to Forbes, for example), while the likes of smart light switches are a boon to the lazy.
Hacking the IoT
The problem is that a lack of regulation underpinning the building of smart devices means that security and malware detection is spotty at best and absent at worse.
There are horror stories out there – strangers talking to children through hacked baby monitors, compromised cars losing transmission on US freeways – but it used to take a direct approach, sometimes under laboratory conditions, to take advantage of the IoT’s numerous security vulnerabilities.
All that changed last week.
Mirai, malware that attacks Internet of Things devices, managed to take a number of high-profile websites offline by overloading the networks of a company called Dyn. Sites like PayPal, The Guardian, the BBC, Netflix, Reddit, and the PlayStation Network are just a few of the sites affected by Mirai.
Factory Settings
Some of the most powerful companies in the world had their online mouthpieces silenced by a network of hijacked video cameras. It’s a dystopian nightmare come true, the rise of the machines against their human overlords.
What makes the attack more remarkable is the fact that it was only possible because the devices’ owners couldn’t be bothered to change the default password on their new purchase. Using a list of 68 default credentials, Mirai actively seeks out IoT devices with factory settings, including username and password combinations like ‘admin’ and ‘333333.’
The concern now is that Mirai and similar malware have rounded up compromised devices into ‘botnets,’ groups of hacked devices that work together to take websites offline, in a process known as a Distributed Denial of Service attack. These botnets are available for hire on dark web marketplaces, and attacked 60 sites on the 26th of October alone.
The Smart Home
It’s a situation that defies a simple fix; manufacturers could force users to set strong passwords and change their passwords upon first use, but the most popular passwords chosen by users in 2016 are still ‘123456’ and ‘password.’ Similarly, removing a device from a botnet requires the user to turn off the device but it’s virtually impossible to know which objects are compromised.
The smart home is only as secure as the device with the weakest security – it doesn’t matter how well-protected your PC is if you connect it to things with no security at all. It sounds cynical but manufacturers need to take the protection of the IoT as far away from the user as possible and begin to view device security as an essential consideration rather than an afterthought.