Endpoint
10/24/2016
11:35 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Tips For Preventing IoT Hacks

The recent DDoS attack on Dyn was powered in part by a bot army of home devices. How not to let your webcam or other IoT system go rogue.

The massive distributed denial-of-service (DDoS) attack on DNS provider Dyn late last week in which Internet of Things (IoT) devices were compromised and used as part of the bot army that slowed access to popular websites such as Amazon, Twitter, and PayPal, underscored long-known vulnerabilities with IoT.

Today, security company ESET in tandem with the National Cyber Security Alliance (NCSA) released a study that indicates that while consumers may be aware of security issues with IoT, many haven not taken steps to secure IoT devices in the home. The study was developed as part of the National Cyber Security Awareness Month.

"People need to understand that some of their IoT devices in the home can be used for these type of DDoS attacks," says NCSA’s Michael Kaiser.

Stephen Cobb, senior security researcher at ESET, says the good news from the ESET/NCSA study is that consumers are aware of the serious security issues around IoT.

"There's no question that starting with the Target hack and the Edward Snowden revelations, there's a growing awareness on the need for security by the public," Cobb says.

In terms of the public's knowledge of IoT security issues, the ESET/NCSA study found the following:

·         88% of consumers have thought about the reality that IoT devices and the data they collect could be accessed by hackers.

·         85% know that some computer webcams can be accessed by hackers to spy on them without their knowledge; and 29% are or have been, afraid that someone might have accessed their webcams or video calls without their consent.

·         77% are aware that some cars may be vulnerable to hacking; and 45% are very or somewhat concerned that their own car might have the potential to be hacked.

·         76% were either "very concerned" or "somewhat concerned" about the security and privacy risks of Internet-connected smart toys.

"It’s pretty clear that the public is concerned about connected devices by the response people had around connected toys," Cobb says. "But we have to do a better job educating the public on how to protect their networks."

For example, the study found that 29% of consumers have not changed their home router password from its default setting; and another 15% do not even know if they have changed passwords for their home router.

"When not protected properly, the home router is an entry point for malware," says NCSA's Kaiser. "A basic step such as changing the default factory password is necessary for protecting the home network."

The ESET/NCSA study also offers five tips for consumers:

1.      Learn how to maintain the security of IoT devices. Consumers need to protect their IoT devices the same way they would their smartphones, tablets and home computers. Look for ways to set strong passwords, reading the manuals for instructions on how to lock down these devices.

2.      Clean out old apps. Many of us tend to keep apps indefinitely, even if we don't use them. Check your devices periodically and delete apps you no longer use.

3.      Own your online presence. Understand what information your devices collect and how they it is managed and stored.

4.      Do your research. Before you purchase an IoT device, do a search to see if it has had security problems with it and if it can be easily hacked.

5.      Change the default setting on the home router. This is worth reiterating: Strong passwords on home routers can prevent the type of DDoS that happened last Friday to Dyn.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/29/2016 | 4:45:13 PM
Re: IOT Security Time-bomb
With all due respect to my fellow citizens who are actively contributing to our economy with their clearly disposable income, I think those who decide that they need "smart" lightbulbs (along with a plethora of other "smart" devices for the home) probably aren't the brightest bulbs in the bunch themselves (and, thereby, probably not much for InfoSec awareness/mitigation).

IoT makes a great deal of sense for the enterprise.  For the individual, at the consumer level, where most (not all, but certainly most) consumer devices are concerned, it's nifty but runs into the law of diminishing returns rather quickly.
SteveM654
50%
50%
SteveM654,
User Rank: Apprentice
10/28/2016 | 11:21:14 AM
IOT Security Time-bomb
While last week's DYN DDoS attack using a botnet of hijacked Webcams has rightly been trending across the blogsphere, most of the comments and advice I have seen have focussed on how to prevent the same thing happening again. However what is more worrying is what else could these insecure Web cams and the other IOT devices be used for? If it is so easy for the hackers to take control of our Web cams without our knowledge, think of the potential threat posed by smart meters, connected TVs and fridges that are sharing the same conection as our laptops and tablets. 

We might not be too concerned when these devices are being used to attack one the Internet beomoths but it is a different story when it comes to protecting our banking details falling into the hands of a cyber-thief.

If nothing else this event should be a wake-up call for everyone to start taking their home/online security more seriously. There are new IPS based systems out there capable of detecting compromised IOT devices, which would be a good starting point. 

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/26/2016 | 9:03:50 AM
Re: DDoS was not done by IoT consumers
The enterprise and manufacturer perspectives of IoT security are important, but I think the point here is that while the IoT consumers themselves were not responsible, their IoT devices were -- because they were hacked and made part of a botnet.

As such, if people don't want their favorite sites or online services to be disrupted, they better make sure their own systems are secure.  It takes a village -- and a chain is only as strong as its weakest link.

Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:19:54 PM
IoT and consumers
 

We want our IoT device is easily accessible to us, we do not care weather that will be source of a DDoS attack or not as consumers. My question is why Dyn is the only DNS provider for these big companies that were not accessible?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:19:14 PM
Re: Step 1: Hilarious!
"... It's all about ease of use ..."

I think this is an important point. Otherwise we would not be seeing wide spear user of IoT devices, which would be sad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:15:19 PM
Re: ...Preventing IoT Hacks
"... impact cyber defenses of shared infrastructure ..."

This is a good point, cab it be shared and isolated infrastructure?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:13:42 PM
Re: Step 1: Hilarious!
"... telnet or maybe ssh ..."

Agree. Asking too much of consumers all they want is turning their lights on with their voice.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:11:47 PM
Re: Step 1: Hilarious!
"...  It's not the user's fault, it's the vendor's ..."

It makes sense but I would say neither. Overall system should not be letting IoT device be source of downtime, I would day.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:09:55 PM
Re: Step 1: Hilarious!
"... Consumers need to protect their IoT devices  ..."

Agree but they can not, too much to deal with.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/25/2016 | 8:08:07 PM
Re: scalp psoriasis
"... I really like the dear information you offer in your article ..."

Agree. Especially statistics very informative.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.