The Risks of Unsecured IoT Devices in Your Business
The Internet of Things has become wildly popular in homes and businesses alike. People delight in the world of responsive, mobile connected devices like lights that sense your presence and thermostats that can be set from your phone.
Many companies, eager for anything to upgrade and streamline their offices, have integrated a massive number of IoT devices like security cameras and card readers into their infrastructure. Unfortunately, this bold cutting-edge move may be too soon for safe business practices. The one group of professionals who simply cannot get behind IoT adoption, no matter how charming, are network security admins.
What’s Wrong with IoT?
IoT devices are fantastic, fun, innovative, and incredibly useful. What they lack is security. Most of them are made with firmware and software with a limited ability to be updated or controlled with the level of precision required for well-protected business data. To make matters worse, they also come with default usernames and passwords that either don’t change or don’t require you to change them.
You’re probably starting to get the picture. But so are the hackers.
There have already been several incidents of worrying and even disastrous hacking of IoT devices, the most prominent of which happened in October of last year.
The Dyn Attack
If you keep up with either hacker or IoT news, you may have heard of the Mirai Botnet, the tool used for the near-legendary Dyn attack. The hack started with the Mirai malware on normal computers, which turned its victims to searching for minimally secured IoT devices. When it found them, Mirai implemented an astonishingly simple hack to great effect, using known default usernames and passwords to login to the IoT devices and infect them.
This turned several thousand IoT devices into the largest DDoS attack that has yet to be seen, all directed at the widespread DNS host, Dyn. The assault continued for the better part of a day, taking down Twitter, the Guardian, Netflix, Reddit, CNN and many others throughout Europe and the US. And this is only the beginning.
“Secure” Security Cameras
If having your IoT security cameras, card readers, and light switches turned into a hacker’s botnet isn’t upsetting enough, some devices are so insecure that hackers are looking directly through them into the homes and businesses they serve. One particular IoT camera, the FTC SecurCam, openly claimed to be secure but a faulty piece of software allowed anyone with the camera’s IP address to both look and listen through the cameras.
Worse even than a nightmare of a security bug was the company’s practice of transmitting login information in clear, readable text over the Internet and displaying it on devices; something no self-respecting admin should ever do.
Creepy though it may be, hackers practically did a public service by sharing their discovered loophole when they streamed live feeds on the web of nearly 700 cameras made by FTC. While this particular infraction happened between 2010 and 2012, consider the fact that nothing is stopping modern IoT devices from taking on the same or similarly bad security practices while advertising a safely closed network.
The primary problem with IoT devices is something that also allows them to be so wonderfully creative. There is practically zero regulation in hardware, software, or security practices. While false advertising may catch some, in many cases it’s clear that the manufacturers didn’t even consider real safety, just the appearance of it.
Hopefully, in the future, we’ll see IoT going the same way as mobile phones, with popular operating systems that can be learned, secured, and managed on dashboards by skilled security admins, but that day is not today. The next time your company is thinking about integrating IoT, remember to do a very thorough check for security holes first and, for now, keep your IoT devices on the other side of a firewall.