DDoS attack shows dangers of IoT 'running rampant'

Experts, U.S. senator call for greater Internet of Things security

A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.

In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for "improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers."

Friday's big cybersecurity attack affected 80 major websites and was blamed on the Mirai botnet that largely targeted unprotected IoT devices, including internet-ready cameras.

Those devices were used by unknown attackers to overload servers at Domain Name System provider Dyn in a Distributed Denial of Service (DDoS) attack.

President Barack Obama said Monday that U.S. investigators "don't have any idea" who was behind the attack. He added on Jimmy Kimmel Live that future presidents face the challenge of "how do we continue to get all the benefits of being in cyberspace but protect our finances, protect our privacy. What is true is that we are all connected. We're all wired now."

Security experts recommended Tuesday that default usernames and passwords in IoT devices be avoided and said automatic updates of IoT software could help avoid similar attacks in the future.

"This attack should be a wake-up call about security issues across IoT," said Mark Dufresne, director of threat research at Endgame, a cyber security company based in Arlington, Va.

"There's a low barrier for entry for hackers due to IoT devices that ship with default credentials and lack automatic security updates to fix known flaws," he said in an interview. "As things stand today, we should expect to see more and more attacks involving IoT."

Default usernames and passwords are relatively easy for hackers to guess; there are even lists of default usernames and passwords available on an internet search.

Experts said several solutions to create a non-default approach are possible: Manufacturers could require a password be changed by a customer before the device is first used; a random number generator could be used to create a password for each device, with the unique password made available to the user; and the unique MAC (Machine Access Control) address of the device could function as the password until a user changes it.

For IoT devices to get automatic updates would require more processing power. Dufresne said adding such capabilities wouldn't necessarily be expensive.

"We see the dangers of this IoT running rampant," he said. "There's a continuum of bad to middling security and nobody is knocking it out of the park."

Even though DDoS attacks first hit the internet in the 1990s, they are still commonplace. AT&T on Monday released a survey of more than 700 IT decision makers that found that 73% of companies suffered at least one DDoS attack in the last year.

"Most attackers are targeting businesses using forms of attacks we already know about and can help defend against," said Mo Katibeh, senior vice president of advanced solution at AT&T. "The vast number of threats and attack patterns across our network fit with very well-known attacks...like DDoS," he said in an interview.

Katibeh said that when AT&T U-verse residential and small business customers receive an internet gateway device they are immediately required to update the user name and password. For the 20 car manufacturers that connect cars to AT&T wireless networks, there is Virtual Private Network protection, which means traffic is "not riding the open internet, and thus protected against DDoS attacks," he said.

AT&T is also working on software that will stop a robot arm from moving on a manufacturing floor if the arm moves slightly at variance with its controlled range of motion, he said.

Katibeh said that IoT devices are going to pose ever-greater challenges for enterprise security officials.

"For every enterprise, there's a call to action around Internet of Things," he said. "We even have connected coffee pots. Every enterprise should be doing risk and vulnerability assessments and knowing what to protect and knowing its vulnerabilities. Make sure you are buying devices that have minimum security built-in to allow updates of firmware and patches as they become available."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityIoT

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hamblen

Computerworld (US)
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?