Why Hackers Just Can’t Get Enough Of IoT

It’s safe to say hackers may be developing a love affair with connected devices.

Anyone who attempted to hit a major site in the U.S. last Friday (Oct. 21) — such as Spotify, Amazon, Twitter or even Netflix — may have experienced firsthand what it’s like when hackers can have their way with Internet of Things (IoT) devices.

Unidentified hackers perpetrated a distributed denial-of-service (DDoS) attack against major internet domain directory Dyn, which resulted in a ripple of disruption to a number of well-known websites across all sorts of industries. According to TechCrunch, the DDoS attack was fueled by a botnet known as Mirai, which utilized hacked DVRs and webcams to launch the series of attacks.

Is Any Smart Device Really Safe?

Even before last week’s major cyberattack, security experts warned of the growing trend of cybercriminals flocking to connected devices as an entry point into the networks and systems of businesses.

From Wi-Fi hotspots to printers, unsecured routers to digital video recorders, many connected devices are vulnerable to hacks and, when compromised, can be used to launch large-scale attacks.

Unfortunately, merchants and device makers tend to overlook these devices as a stealthy way in for hackers.

Intel Director of Mobility and Secure Payments Michelle Tinsley recently told Karen Webster that businesses are often so hyper-focused on safeguarding payment data and PCI compliance that they easily lose sight of the other places where consumer data is left unprotected.

One of the biggest challenges facing the IoT security market is that the type of attacks that caused the recent internet meltdown can be launched from anywhere around the world, but still, there is no regulation in place requiring device makers to increase the security of the connected devices they put out into the market.

“These attacks are not going away,” Ben Herzberg, security group research manager with cybersecurity company Imperva, told The Washington Post. “It would be great if we could say, ‘If you want to produce a device connected to the internet, you must go through basic security checks,’ but we don’t have that right now.”

The White House Is Fed Up

The U.S. government is taking steps to counter the cyberattacks powered by IoT devices.

The Department of Homeland Security said it hosted a conference call with 18 major communication service providers after last week’s major attack started and is developing a new set of “strategic principles” for securing internet-connected devices, Fortune reported.

The agency’s National Cybersecurity and Communications Integration Center is working in collaboration with private companies, law enforcement agencies and security researchers to fight back against the growing number of attacks that are taking place due to the expanding number of devices that can talk to the internet. In many cases, these devices have little in terms of security, making hacks that much easier.

However, many security researchers believe the broader security threat will get worse before it gets better.

“If you expect to fix all the internet devices that are out there, force better passwords, install some mechanism for doing updates and add some native security for the operating system, you are going to be working a long time,” Ed Amoroso, founder of TAG Cyber and former chief security officer at AT&T, told Fortune.

Here Come The Recalls

Hangzhou Xiongmai Technology, the Chinese manufacturer of webcams linked to the huge cyberattack in the U.S., is pursuing a major recall of the devices. According to Reuters, the company could recall as many as 10,000 of the devices that were compromised during the attack.

Liu Yuexin, Xiongmai’s marketing director, told Reuters that batches of the surveillance cameras made in 2014 would be recalled but that the company has fixed security vulnerabilities in earlier products. The executive noted that devices in China and other places aren’t likely to be vulnerable to similar attacks because they are used more often for industrial purposes and therefore are connected to secure networks.

“The reason why there has been such a massive attack in the U.S. and [one] is not likely going to be in China is that most of our products in China are industrial devices used within a closed intranet only,” Liu said. “Those in the U.S. are consumer devices exposed in the public domain.”

Xiongmai advised consumers to change default passwords and block telnet access on the devices.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind or to provide ongoing support,” U.S. Senate Intelligence Committee Member Sen. Mark Warner (D-VA) said.