Endpoint
10/24/2016
11:35 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Tips For Preventing IoT Hacks

The recent DDoS attack on Dyn was powered in part by a bot army of home devices. How not to let your webcam or other IoT system go rogue.

The massive distributed denial-of-service (DDoS) attack on DNS provider Dyn late last week in which Internet of Things (IoT) devices were compromised and used as part of the bot army that slowed access to popular websites such as Amazon, Twitter, and PayPal, underscored long-known vulnerabilities with IoT.

Today, security company ESET in tandem with the National Cyber Security Alliance (NCSA) released a study that indicates that while consumers may be aware of security issues with IoT, many haven not taken steps to secure IoT devices in the home. The study was developed as part of the National Cyber Security Awareness Month.

"People need to understand that some of their IoT devices in the home can be used for these type of DDoS attacks," says NCSA’s Michael Kaiser.

Stephen Cobb, senior security researcher at ESET, says the good news from the ESET/NCSA study is that consumers are aware of the serious security issues around IoT.

"There's no question that starting with the Target hack and the Edward Snowden revelations, there's a growing awareness on the need for security by the public," Cobb says.

In terms of the public's knowledge of IoT security issues, the ESET/NCSA study found the following:

·         88% of consumers have thought about the reality that IoT devices and the data they collect could be accessed by hackers.

·         85% know that some computer webcams can be accessed by hackers to spy on them without their knowledge; and 29% are or have been, afraid that someone might have accessed their webcams or video calls without their consent.

·         77% are aware that some cars may be vulnerable to hacking; and 45% are very or somewhat concerned that their own car might have the potential to be hacked.

·         76% were either "very concerned" or "somewhat concerned" about the security and privacy risks of Internet-connected smart toys.

"It’s pretty clear that the public is concerned about connected devices by the response people had around connected toys," Cobb says. "But we have to do a better job educating the public on how to protect their networks."

For example, the study found that 29% of consumers have not changed their home router password from its default setting; and another 15% do not even know if they have changed passwords for their home router.

"When not protected properly, the home router is an entry point for malware," says NCSA's Kaiser. "A basic step such as changing the default factory password is necessary for protecting the home network."

The ESET/NCSA study also offers five tips for consumers:

1.      Learn how to maintain the security of IoT devices. Consumers need to protect their IoT devices the same way they would their smartphones, tablets and home computers. Look for ways to set strong passwords, reading the manuals for instructions on how to lock down these devices.

2.      Clean out old apps. Many of us tend to keep apps indefinitely, even if we don't use them. Check your devices periodically and delete apps you no longer use.

3.      Own your online presence. Understand what information your devices collect and how they it is managed and stored.

4.      Do your research. Before you purchase an IoT device, do a search to see if it has had security problems with it and if it can be easily hacked.

5.      Change the default setting on the home router. This is worth reiterating: Strong passwords on home routers can prevent the type of DDoS that happened last Friday to Dyn.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/29/2016 | 4:45:13 PM
Re: IOT Security Time-bomb
With all due respect to my fellow citizens who are actively contributing to our economy with their clearly disposable income, I think those who decide that they need "smart" lightbulbs (along with a plethora of other "smart" devices for the home) probably aren't the brightest bulbs in the bunch themselves (and, thereby, probably not much for InfoSec awareness/mitigation).

IoT makes a great deal of sense for the enterprise.  For the individual, at the consumer level, where most (not all, but certainly most) consumer devices are concerned, it's nifty but runs into the law of diminishing returns rather quickly.
SteveM654
50%
50%
SteveM654,
User Rank: Apprentice
10/28/2016 | 11:21:14 AM
IOT Security Time-bomb
While last week's DYN DDoS attack using a botnet of hijacked Webcams has rightly been trending across the blogsphere, most of the comments and advice I have seen have focussed on how to prevent the same thing happening again. However what is more worrying is what else could these insecure Web cams and the other IOT devices be used for? If it is so easy for the hackers to take control of our Web cams without our knowledge, think of the potential threat posed by smart meters, connected TVs and fridges that are sharing the same conection as our laptops and tablets. 

We might not be too concerned when these devices are being used to attack one the Internet beomoths but it is a different story when it comes to protecting our banking details falling into the hands of a cyber-thief.

If nothing else this event should be a wake-up call for everyone to start taking their home/online security more seriously. There are new IPS based systems out there capable of detecting compromised IOT devices, which would be a good starting point. 

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/26/2016 | 9:03:50 AM
Re: DDoS was not done by IoT consumers
The enterprise and manufacturer perspectives of IoT security are important, but I think the point here is that while the IoT consumers themselves were not responsible, their IoT devices were -- because they were hacked and made part of a botnet.

As such, if people don't want their favorite sites or online services to be disrupted, they better make sure their own systems are secure.  It takes a village -- and a chain is only as strong as its weakest link.

Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:19:54 PM
IoT and consumers
 

We want our IoT device is easily accessible to us, we do not care weather that will be source of a DDoS attack or not as consumers. My question is why Dyn is the only DNS provider for these big companies that were not accessible?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:19:14 PM
Re: Step 1: Hilarious!
"... It's all about ease of use ..."

I think this is an important point. Otherwise we would not be seeing wide spear user of IoT devices, which would be sad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:15:19 PM
Re: ...Preventing IoT Hacks
"... impact cyber defenses of shared infrastructure ..."

This is a good point, cab it be shared and isolated infrastructure?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:13:42 PM
Re: Step 1: Hilarious!
"... telnet or maybe ssh ..."

Agree. Asking too much of consumers all they want is turning their lights on with their voice.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:11:47 PM
Re: Step 1: Hilarious!
"...  It's not the user's fault, it's the vendor's ..."

It makes sense but I would say neither. Overall system should not be letting IoT device be source of downtime, I would day.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:09:55 PM
Re: Step 1: Hilarious!
"... Consumers need to protect their IoT devices  ..."

Agree but they can not, too much to deal with.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:08:07 PM
Re: scalp psoriasis
"... I really like the dear information you offer in your article ..."

Agree. Especially statistics very informative.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.