NEW DELHI: In September 2016, a major part of the internet on the east coast of the US went on the blink following the biggest cyber attack in the history of the internet. Now we know that it was the Mirai malware that triggered this internet of things (IoT) botnet attack that took down big websites including Twitter, The Guardian, Netflix, Reddit, and CNN. Two years later in July, Cisco Talos found several vulnerabilities in the firmware of Samsung’s SmartThings Hub platform for its IOT devices.
These vulnerabilities could have allowed hackers to access sensitive information and take control over a number of smart home devices on the platform like door locks, security cameras and thermostats. These devices can be found on Shodan, a search engine for IoT devices and then using Nmap scan hackers can identify the ones with open ports whose IP address is visible online.
Now what if a variant of the Mirai IoT botnet is let loose by hackers on your smart home? A breach like this can be catastrophic and allow hackers to spy, steal and even blackmail you. “Smart devices like IP (internet protocol) cameras, speakers, etc., are becoming more vulnerable to cyber attacks especially if there is no proper in-built security,” cautions Shrenik Bhayani, general manager, Kaspersky Lab (South Asia).
Juniper Research predicts the number of IoT sensors and devices is set to exceed 50 billion by 2022. According to Avast Security, more than half (52.4%) of connected homes in India have one or more vulnerable IoT devices. If so, attacks on IoT devices will only increase. IoT devices were attacked with more than 120,000 modifications of malware in first half of 2018 alone, according to Kaspersky Labs. The problem is that “In the rush to get to the market, lot of companies are plainly ignoring security by design, which should have been the part of the product’s development life cycle,” says Jaspreet Singh, partner, information security at EY.
“There are little to no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority,” said Vladislav Iliushin, IoT Threat Reseacher at Avast.
One of the biggest challenges in security of IoT devices is they are low in both memory and compute power, which makes it hard to put agents on them like anti-virus, explains Venkat Krishnapur, vice president-engineering and managing director of McAfee India. Also, when a vulnerability is discovered, the patch to address it is unlikely to be pushed automatically to the device, leaving it open to attacks.
“Majority of IoT devices currently rely on local network security, which means that everyone on the same network can gain access to them. If a security camera, for example, gets hacked and the attacker is able to get into the network, he/she can control most of the other IoT devices connected to the same network as the camera,” warned Iliushin.
According to a report by Barracuda Labs, improvements have been made but new types of vulnerabilities have emerged like IoT credential compromise wherein, attackers exploit vulnerabilities in mobile and web applications to acquire credentials to access data saved on cloud. “From an end user standpoint, unsecured IoT devices pose the highest risk to the privacy of a consumer. A vulnerable IoT device can give away your location, passwords, and data,” cautions Sajan Paul, director systems engineering at Juniper Networks, India and SAARC. To avoid such attacks, consumers need to regularly update their devices, check default privacy and security settings, and change them as per their needs. Mikhail Kuzin, security researcher at Kaspersky Lab, believes that even if vendors begin to provide devices with better security now, it will be a while before old vulnerable devices are phased out of homes. Krishnapur recommends that users need to invest in more secure routers with in-built protection. He adds that they can also consider setting up a second network for IoT devices that doesn’t share access to other devices and data.