The massive distributed denial-of-service (DDoS) attack on DNS provider Dyn late last week in which Internet of Things (IoT) devices were compromised and used as part of the bot army that slowed access to popular websites such as Amazon, Twitter, and PayPal, underscored long-known vulnerabilities with IoT.
Today, security company ESET in tandem with the National Cyber Security Alliance (NCSA) released a study that indicates that while consumers may be aware of security issues with IoT, many haven not taken steps to secure IoT devices in the home. The study was developed as part of the National Cyber Security Awareness Month.
"People need to understand that some of their IoT devices in the home can be used for these type of DDoS attacks," says NCSA’s Michael Kaiser.
Stephen Cobb, senior security researcher at ESET, says the good news from the ESET/NCSA study is that consumers are aware of the serious security issues around IoT.
"There's no question that starting with the Target hack and the Edward Snowden revelations, there's a growing awareness on the need for security by the public," Cobb says.
In terms of the public's knowledge of IoT security issues, the ESET/NCSA study found the following:
· 88% of consumers have thought about the reality that IoT devices and the data they collect could be accessed by hackers.
· 85% know that some computer webcams can be accessed by hackers to spy on them without their knowledge; and 29% are or have been, afraid that someone might have accessed their webcams or video calls without their consent.
· 77% are aware that some cars may be vulnerable to hacking; and 45% are very or somewhat concerned that their own car might have the potential to be hacked.
· 76% were either "very concerned" or "somewhat concerned" about the security and privacy risks of Internet-connected smart toys.
"It’s pretty clear that the public is concerned about connected devices by the response people had around connected toys," Cobb says. "But we have to do a better job educating the public on how to protect their networks."
For example, the study found that 29% of consumers have not changed their home router password from its default setting; and another 15% do not even know if they have changed passwords for their home router.
"When not protected properly, the home router is an entry point for malware," says NCSA's Kaiser. "A basic step such as changing the default factory password is necessary for protecting the home network."
The ESET/NCSA study also offers five tips for consumers:
1. Learn how to maintain the security of IoT devices. Consumers need to protect their IoT devices the same way they would their smartphones, tablets and home computers. Look for ways to set strong passwords, reading the manuals for instructions on how to lock down these devices.
2. Clean out old apps. Many of us tend to keep apps indefinitely, even if we don't use them. Check your devices periodically and delete apps you no longer use.
3. Own your online presence. Understand what information your devices collect and how they it is managed and stored.
4. Do your research. Before you purchase an IoT device, do a search to see if it has had security problems with it and if it can be easily hacked.
5. Change the default setting on the home router. This is worth reiterating: Strong passwords on home routers can prevent the type of DDoS that happened last Friday to Dyn.