With chang­ing pro­file of IoT de­vices and con­nected cars and con­nected med­i­cal de­vices be­come more com­mon­place, at­tacker mo­tives are likely to change

PCQuest - - TECH TRENDS - – Ritesh Cho­pra, Coun­try Man­ager, Con­sumer Busi­ness Unit, Sy­man­tec, In­dia

IoT streets are buzzing with the new breed of in­no­va­tions that’ll take it to the much-awaited glory. Many peo­ple pic­ture smart ther­mostats and vir­tual as­sis­tants that will re­spond to voice com­mands, but the IoT is pri­mar­ily com­posed of com­monly used de­vices such as Home routers, DVRs, and in­ter­net-con­nected cam­eras.

The surge in in­no­va­tion, avail­abil­ity and adop­tion has made IoT an at­trac­tive tar­get for hack­ers and has made the “in­se­cu­rity of the In­ter­net of Things” a cause for con­cern. There is much less se­cu­rity for at­tack­ers to over­come when try­ing to take over an IoT de­vice.

At­tacks us­ing IoT de­vices also lower the bar­ri­ers to en­try for cy­ber crim­i­nals. With IoT de­vices, se­cu­rity is of­ten not a pri­or­ity for the de­vice man­u­fac­turer. This leads to poor prac­tices such as the use of de­fault pass­words and open ports, which the users do not, or can­not, change. Se­condly, IoT de­vices typ­i­cally don’t have built-in mech­a­nisms to re­ceive au­to­matic firmware up­dates, re­sult­ing in vul­ner­a­bil­i­ties be­ing left un­patched. Lastly, they are of­ten for­got­ten about once in­stalled. This means that their own­ers are un­aware when de­vices are be­ing used for ma­li­cious pur­poses and have lit­tle in­cen­tive to ap­ply firmware up­dates. To­wards the end of 2016, the Mi­rai bot­net, which is made up of “zom­bie army” of IoT de­vices, was used in a num­ber of high-pro­file dis­trib­uted de­nial of ser­vice (DDoS) at­tacks. A large-scale at­tack on DNS provider Dyn demon­strated how easy it was to cre­ate a large bot­net and dis­rupt ma­jor web­sites such as Net­flix, Twit­ter, and PayPal. The Dyn at­tack also re­vealed the ex­is­tence of Mi­rai to the world at large. While it is dif­fi­cult to defini­tively state how many Mi­rai-in­fected de­vices are out there, but many fig­ures quoted are quite stag­ger­ing. While Mi­rai’s sole pur­pose was to launch DDoS at­tacks, mal­ware on a wire­less router could con­ceiv­ably lead to per­sonal in­for­ma­tion— in­clud­ing user names, pass­words, and fi­nan­cial data—be­ing stolen. In­fected IoT de­vices could also be used as a step­ping-stone to at­tack other de­vices in a pri­vate net­work. It could also mean that a de­vice be­long­ing to you could par­tic­i­pate in a global bot­net that plays a role in tak­ing down web­sites or ser­vices. The at­tack showed how pow­er­ful a DDoS at­tack us­ing IoT de­vices could be and raised ques­tions about what it might mean if at­tack­ers de­cided to tar­get in­dus­trial con­trol sys­tems or crit­i­cal na­tional in­fra­struc­ture.

As the pro­file of IoT de­vices change and con­nected cars and con­nected med­i­cal de­vices be­come more com­mon­place, at­tacker mo­tives are also likely to change.

Reg­u­la­tion of the IoT in­dus­try to en­sure that se­cu­rity is a core con­sid­er­a­tion in the de­sign and man­u­fac­ture of IoT de­vices will be a great place to start.

In the mean­time, con­sumers of IoT de­vices can con­sider the fol­low­ing best prac­tices:

• Re­search the ca­pa­bil­i­ties and se­cu­rity fea­tures of an IoT de­vice be­fore pur­chase. • Per­form an au­dit of IoT de­vices used on your net­work. • Change the de­fault cre­den­tials on de­vices. Use strong and unique pass­words for de­vice ac­counts and Wi-Fi net­works. • Don’t use com­mon or eas­ily guess­able pass­words such as “123456” or “pass­word.” • Use a strong en­cryp­tion method when set­ting up Wi-Fi net­work ac­cess ( WPA2). • Many de­vices come with a va­ri­ety of ser­vices en­abled by de­fault. Dis­able fea­tures and ser­vices that are not re­quired. • Dis­able Tel­net lo­gin and use SSH where pos­si­ble. • Mod­ify the de­fault pri­vacy and se­cu­rity set­tings of IoT de­vices ac­cord­ing to your re­quire­ments. • Dis­able or pro­tect re­mote ac­cess to IoT de­vices when not needed. • Use wired con­nec­tions in­stead of wire­less where pos­si­ble. • Reg­u­larly check the man­u­fac­turer’s web­site for firmware up­dates. En­sure that a hard­ware out­age does not re­sult in an un­se­cure state of the de­vice.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.