Solution providers are saying that Friday's distributed denial of service [DDoS] attack – which was launched through IoT devices and blocked an array of websites - deepens the industry's concerns over the security risk of the Internet of Things.
"CyberSecurity in the IoT world has far too long been an afterthought, and especially in the consumer market where understanding of risks and requirements is less stringent than the enterprise space," said Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions. "As cool as many of the smart home devices are, many of them still do not provide the ability to password-protect access to them, leaving many open to compromise."
The denial of service attack was launched Friday through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites.
[Related Video: Are IoT Security Concerns Unfounded?]
The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data.
Throughout Friday, Dyn experienced two waves of attacks, and a third wave was attempted that the company successfully mitigated without customer impact. Dyn's chief strategy officer, Kyle York, said in a blog post that the attacks came from devices infected by the Mirai botnet – a malware that was revealed earlier in the month and spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet," he said.
Many consumer IoT device manufacturers do not invest enough in security, or view it as an afterthought, said Grosfield, making it "terrifyingly" easy for hackers to compromise the devices.
"TVs, DVRs, home security systems and cameras, smart thermostats, lighting systems, door-locks and even smart garage door openers, all connected to the Internet and to the homeowner’s WiFi network, present an attack surface that makes it terrifyingly easy for hackers to use in these types of attacks," he said.
On Monday, manufacturer Hangzhou Xiongmai announced that it will recall the web cameras that use its circuit board and other components – which were one of the many devices used in the attack.
Chris Compton, founder of Smart Home HQ, a Newport, Ky.-based service provider specializing in home automation, said that IoT security is at the top of mind for many customers – and partners play an important role in ensuring a program is in place to properly secure devices.
"Everyone's freaking out about security. For many devices, like webcams, passwords can be easily unlocked, and with home automation and the Internet of Things, devices can also be unlocked remotely," he said. "My view on [IoT] security is that you need a partner who is knowledgeable about it, and need a program in place to deal with it."
Grosfield said that IoT security issues will continue on a "growing scale" unless manufacturers address security related shortcomings with their offerings.
"Strong password protection, and mandatory encryption, must be considered table-stakes for players in the IoT and connected device world, or they are creating a problem that will be very challenging to address as this rapidly growing market expands," he said.
related stories
trending stories
Video
sponsored resources

NetApp
NetApp Data Driven Learning Center

Vertiv
Edge Computing 360

Best of Breed Showcase

Annual Report Card Showcase

NexGen Showcase

Cloud PPG Showcase

100 People You Should Know Showcase

APC by Schneider Electric
IoT Platforms 360

Silver Peak
Silver Peak Learning Center

Veeam
Veeam

NPD
Industry Trends 360

Comcast
Comcast Business Learning Center

AT&T Cybersecurity
Cloud Security 360

ConnectWise
ConnectWise

Symantec
Symantec Business Security Learning Center

RSA
RSA

Micro Focus
Enterprise Application Software 360

Eaton
Eaton Learning Center

BlackBerry Cylance
BlackBerry Cylance Learning Center

Storagecraft
Disaster Recovery Learning Center

Lenovo
Lenovo Learning Center

ID Agent
Managed Security 360

Wasabi
Wasabi

Sophos
Sophos Cybersecurity Learning Center

Scale Computing
Scale Computing Learning Center

SonicWall
Network Security 360

Cohesity
Cohesity Learning Center

Dell EMC
Software-defined Data Center 360

Sherweb
Cloud Partner Programs 360
