A few years ago, a major part of the internet on the United States’ eastern coast faced blackout following the biggest cyberattack in the history of the internet. The reason was Mirai malware which initiated the IoT botnet attack that affected many websites including, Netflix, Amazon, Twitter, New York Times, Spotify, CNN, and PayPal.
After the attacks, Cisco’s cyber threat intelligence arm–Cisco Talos found several vulnerabilities in the firmware of Samsung’s SmartThings Hub platform for its IOT devices. With these vulnerabilities, hackers could have gained sensitive information and accessed a number of smart home devices on the platform such as door locks, security cameras, and thermostats.
How will you know if a hacker has targeted your smart home with a malware similar to Mirai botnet? A disastrous breach like this will allow attackers to spy and even blackmail you. “Smart devices like IP (internet protocol) cameras, speakers, etc., are becoming more vulnerable to cyber attacks especially if there is no proper in-built security,” Shrenik Bhayani, general manager, Kaspersky Lab (South Asia), told Live Mint.
According to Juniper Research, the number of IoT sensors and devices is set to exceed 50 billion by 2022. More than half (52.4 percent) of connected homes in India have one or more vulnerable IoT devices, according to Avast Security.
If that’s the case, the number of attacks on IoT devices will only increase. IoT devices were attacked with more than 120,000 modifications of malware in first half of 2018 alone, according to Kaspersky Labs. The problem is that “In the rush to get to the market, lot of companies are plainly ignoring security by design, which should have been the part of the product’s development life cycle,” says Jaspreet Singh, partner, information security at EY.
“There are little to no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority,” said Vladislav Iliushin, IoT Threat Reseacher at Avast.
One of the biggest challenges in security of IoT devices is they are low in both memory and compute power, which makes it hard to put agents on them like anti-virus, explains Venkat Krishnapur, vice president-engineering and managing director of McAfee India. Also, when a vulnerability is discovered, the patch to address it is unlikely to be pushed automatically to the device, leaving it open to attacks.
“Majority of IoT devices currently rely on local network security, which means that everyone on the same network can gain access to them. If a security camera, for example, gets hacked and the attacker is able to get into the network, he/she can control most of the other IoT devices connected to the same network as the camera,” warned Iliushin.
To avoid such attacks, consumers need to regularly update their devices, check default privacy and security settings, and change them as per their needs. Mikhail Kuzin, security researcher at Kaspersky Lab, believes that even if vendors begin to provide devices with better security now, it will be a while before old vulnerable devices are phased out of homes. Krishnapur recommends that users need to invest in more secure routers with in-built protection. He adds that they can also consider setting up a second network for IoT devices that doesn’t share access to other devices and data.