A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”
Friday’s big cybersecurity attack affected 80 major websites and was blamed on the Mirai botnet that largely targeted unprotected IoT devices, including internet-ready cameras.
Those devices were used by unknown attackers to overload servers at Domain Name System provider Dyn in a Distributed Denial of Service (DDoS) attack.
President Barack Obama said Monday that U.S. investigators “don’t have any idea” who was behind the attack. He added on Jimmy Kimmel Live that future presidents face the challenge of “how do we continue to get all the benefits of being in cyberspace but protect our finances, protect our privacy. What is true is that we are all connected. We’re all wired now.”
Security experts recommended Tuesday that default usernames and passwords in IoT devices be avoided and said automatic updates of IoT software could help avoid similar attacks in the future.
“This attack should be a wake-up call about security issues across IoT,” said Mark Dufresne, director of threat research at Endgame, a cyber security company based in Arlington, Va.
“There’s a low barrier for entry for hackers due to IoT devices that ship with default credentials and lack automatic security updates to fix known flaws,” he said in an interview. “As things stand today, we should expect to see more and more attacks involving IoT.”
Default usernames and passwords are relatively easy for hackers to guess; there are even lists of default usernames and passwords available on an internet search.
Experts said several solutions to create a non-default approach are possible: Manufacturers could require a password be changed by a customer before the device is first used; a random number generator could be used to create a password for each device, with the unique password made available to the user; and the unique MAC (Machine Access Control) address of the device could function as the password until a user changes it.
For IoT devices to get automatic updates would require more processing power. Dufresne said adding such capabilities wouldn’t necessarily be expensive.
“We see the dangers of this IoT running rampant,” he said. “There’s a continuum of bad to middling security and nobody is knocking it out of the park.”
Even though DDoS attacks first hit the internet in the 1990s, they are still commonplace. AT&T on Monday released a survey of more than 700 IT decision makers that found that 73% of companies suffered at least one DDoS attack in the last year.
“Most attackers are targeting businesses using forms of attacks we already know about and can help defend against,” said Mo Katibeh, senior vice president of advanced solution at AT&T. “The vast number of threats and attack patterns across our network fit with very well-known attacks…like DDoS,” he said in an interview.
Katibeh said that when AT&T U-verse residential and small business customers receive an internet gateway device they are immediately required to update the user name and password. For the 20 car manufacturers that connect cars to AT&T wireless networks, there is Virtual Private Network protection, which means traffic is “not riding the open internet, and thus protected against DDoS attacks,” he said.
AT&T is also working on software that will stop a robot arm from moving on a manufacturing floor if the arm moves slightly at variance with its controlled range of motion, he said.
Katibeh said that IoT devices are going to pose ever-greater challenges for enterprise security officials.
“For every enterprise, there’s a call to action around Internet of Things,” he said. “We even have connected coffee pots. Every enterprise should be doing risk and vulnerability assessments and knowing what to protect and knowing its vulnerabilities. Make sure you are buying devices that have minimum security built-in to allow updates of firmware and patches as they become available.”