Most people don’t really understand the security implications of having IoT—Internet-of-things—or why attackers even want to go after these devices in the first place. What gets lost in the conversation about baby monitors getting hacked or the latest botnet made up of hacked webcams is the fact that the dangers aren’t in the devices themselves, but in how they interact with other devices.
IoT is more than just phones, Nest thermostats and washing machines that sends alerts to the smartphone app that the wash cycle is done. It refers to devices that connect to the Internet and also those that collect information from sensors. They are getting more widespread each day.
“People ask, ‘Okay, you took over my Nest thermostat. How does that hurt me?’” said Bryson Bort, CEO and founder of security startup Scythe. “There’s no attacker out there who wants to take over your Nest thermostat and play with your temperature.”
Attackers are more interested in take over Internet-accessible devices in order to get inside the network. Once they compromise that IoT device, they can see everything else on that same network—and that can mean office equipment, personal computing devices and home entertainment center, or any number of things—and they can start looking around for things of interest.
“A Nest thermostat by itself is not interesting. The Nest thermostat that is in a network is now an inside view to be able to see and go after other things,” Bort said. “What is interesting? Tax returns. Bank account information. Financials.”
Some attackers don’t care about what’s on the network, but want the device’s processing power. These devices, by themselves, aren’t all that powerful, but aggregate tens of thousands of them, and they form a hefty machine that can cause a lot of damage. The Mirai botnet, which launched the distributed denial of service attack that took down Brian Krebs’ security website temporarily, was made up of compromised IoT devices. Other attackers steal processing power to mine cryptocurrency.
Sometimes, it’s not even about the devices themselves. The attackers may be after information collected by the devices. Companies are much more interested in providing unique features than they are in thinking about what kind of data they are storing is secure, Florian Schaub, the assistant professor of information at University of Michigan School of Information, says in the Decipher video. This is where it makes sense to consider the reputation of the company when it comes to protecting their data before buying that cool gadget.
Giving Away Passwords
The most common way for attackers to compromise IoT devices is by guessing the administrator password. Most IoT devices ship with default passwords so that users can log in to the management dashboard and set up the device onto the network. Very few require the user to change these default passwords, which means anyone who knows where the device is can log in with publicly known credentials. If the user did change the password, the attacker can cycle through a list of commonly used passwords to guess the new password.
Consider this not-so-uncommon scenario: an attacker picks a model of a well-known device—a webcam, a networking router, or even a storage device—and scans the Internet looking for any of them that can be publicly accessed. Armed with this list of devices, the attacker cycles through a list of publicly known credentials and commonly-used passwords.
If the user has changed the password, then that device does not get compromised in this scenario. That’s a victory.
“Attackers are lazy. If it’s hard for me to get something, I am not going to go after it because there's plenty of other things for me to go after,” Bort said.
A security-savvy user may be stymied if the company has password restrictions, such as not accepting special characters, and wind up picking a less complex password than they would have liked. That’s still better than having a common password, or keeping the default password.
Just changing the password won’t stop all attackers, so make sure devices are behind a firewall. Most network routers ship with a firewall that can be turned on from the management dashboard. Or invest in a dedicated one. A firewall will make it harder for someone scanning the Internet to find the devices directly. Considering setting up a separate network for IoT devices, and keep the computers on a separate one. Make it harder for attackers to get access to the sensitive information. Routers often have a “guest network” option or options to create multiple networks within the dashboard.
“Part of how everyone feels safe is by saying, ‘Who is going to attack me?’ and the answer is, ‘Nobody,’” Bort said. “Nobody is coming after you individually, but it is easy to build a fishing net to go and catch a lot of fish, the devices, and see what may be interesting.”