The glue that connects our home and appliances to the web may end up causing millions of dollars of digital damage, and weak security is to blame.
Few online attacks are quite as critical to keeping a site online as a distributed denial of service attack.
More commonly called a “DDoS”, the concept and exploit acts as an overload to a system, sending more traffic to a website than the server can handle and causing it to crash in the process, making the continued amount of traffic so dire that the server (and its owning company) have trouble getting it back online again.
One of the more common ways to bring down websites and possibly get into some otherwise nefarious activity, DDoS attacks are on the increase, with Symantec, the owners and developers of the “Norton” range of security software, finding that devices outside of the typical computer or server may be to blame, as everything in your home and your life makes its way online.
This push to get more things online and communicating with networks to be controlled from within a home and also remotely has led people to the term “Internet of Things”, or “IoT”, and while this creates a more connected house, it can also have some curious security implications.
You’re probably already aware of how the various operating systems for smartphones, computers, and tablets require regular security updates for the varying threat landscape that exists out there, and security companies as well as the operating system developers are constantly working on patches and fixes, but the same may not be true of IoT devices.
In fact, according to a recent write-up by Symantec on the issue, attackers may now be aware of the relaxed and close to non-existent security on these devices, with loopholes making it easier to break in and take over their connections, essentially making some of these gadgets slave to would-be cybercriminals.
“Cybercrooks continue to extend their focus on IoT devices because they make great targets,” said Symantec’s Nick Savvides, telling Pickr that the “lax security makes these devices easy to compromise and control, making this a huge issue on a global scale”.
“In addition to the devices being used to create the largest DDoS attacks ever seen, other dangers exist, such as the devices or services being held to ransom,” he said.
That makes for two separate attack vectors that have the ability to ensnare regular hard-working folk who go by unaware, and it appears as though the poor secure of IoT gadgets may be to blame.
According to Symantec, 2015 was a record year for attacks of this nature, with common passwords never changed making for an easy break in if someone really wants to go about stealing or redirecting functionality.
From a ransomware point of view, the problem is especially frustrating as IoT devices can be locked down and only unlocked if you pay a ransom, much like how the encryption of data in ransomware works on a computer.
“You could come home to find you can’t watch your favourite show, because your brand new TV has been locked by cybercrook demanding a bitcoin to unlock it,” said Savvides, pointing out that a single Bitcoin is worth around $800 today.
“Even worse, is the theft of personal information from IoT devices and their associated cloud services,” he added.
One concern that we asked about has to do with implications, because if a device in the Internet of Things is hijacked and used in a crime, you may be wondering whether you can be charged.
In this area, Savvides suggests that if used in a massive operation where millions of devices were used, “it is unlikely any implications would be faced”, though if used in a specific and targeted attack, he warns “it may lead to it being investigated”.
“This biggest concern for users, is not that they could be implicated in an attack, but the fact that their device is involved and could be stealing information from them,” he said.
“It is important to note that hackers are also going through mobile apps that control IoT devices, in addition to attacking the product directly, so Australians need to be more vigilant when it comes to protecting these types of devices,” said Savvides.
So how can you make sure your various internet devices are locked down?
The first thing is to make sure your devices are kept current, installing patches when available to keep security updated with any other features.
Any time you can change a password, too, you certainly should, especially if it’s to access a router and the password is still admin. You wouldn’t believe the number of homes that keep “password” still used, leaving them open and vulnerable to attack.
Finally, Symantec is suggesting one every network should be doing, and that is using secure and encrypted passwords using WPA2 encryption.
If this sounds like jargon, think of it as making a good and slightly complex password for your home or business wireless network.
Sorry folks, but “password” won’t do, and neither will “12345678” or the same letter repeated eight times. If you want to keep things locked down, you may want to think creatively and replace a letter or two with a number. Just make sure to write it down somewhere so you don’t forget, otherwise you’ll have to go through that setup one more time, or worse, call that guy you get to do your tech support.
You know who I’m talking about.