Let’s just get the big “I told you so” out of the way, so we can move on to the pitch for securing the Internet of Things (IoT). Unless you’ve been hiding under the proverbial rock, then the October 21 DDoS attacks on Dyn DNS – the one where a miscreant, some speculate a teenager, marshaled thousands of unsecured devices to unleash the Mirai botnet on the likes of Twitter, Spotify, Netflix, Amazon and other prominent websites – came as no surprise.
Despite dire warnings over the past two years, very little progress has been made in mitigating the potential damage of devices with shaky or no security that have proliferated on the IoT. By the time the Mirai botnet wreaked havoc on Dyn, it had already been implicated in attacks earlier in the month on the website of a prominent security researcher and a French internet hosting service. Within hours of the Friday DDoS wave, a Chinese manufacturer had already stepped forward to confirm its DVRs had been used in the attacks, joining a long of baby monitors, toasters, thermostats and other devices deemed vulnerable.
By now I think we can all agree that about the only time it’s cool for inanimate things to come alive and do stuff unbeknownst to the people who own them are in children’s tales like Toy Story or a Stephen King classic (think Christine!) where their impact is felt only by a small handful of animated protagonists or a fictitious community somewhere in the American heartland.
In real life, the potential stakes, of course, are much higher.
With the wild proliferation of smart devices, it might seem like we’re arriving a little too late to prevent a disaster already in the making. As National Cyber Security Alliance (NCSA) Executive Director Michael Kaiser recently said at a Nasdaq Cybersecurity summit, securing them “should have happened yesterday.” But it didn’t and now we’re stuck with a boatload of devices that were developed with security as just an afterthought at best so manufacturers could rush to market and cash in on ravenous demand. And a huge slice of the population that are dependent on them for convenience, entertainment or otherwise stay connected.
We can’t step into Mr. Peabody’s Wayback Machine and catch those unsecured devices before they roll off the line. Nor can we sit idly by until market forces simply sort it out, as some have advocated. While users and investors are likely to exert enough pressure on device-makers to evoke a firmer commitment to security that change will come slowly. And the clock is already ticking.
It’s time to put security ahead of profit…and convenience. But it’s going to take a village – users and manufacturers and enterprises have important roles in securing the IoT.
Corporate security pros, tighten policies and practices. Security pros within organizations are in a tough spot when it comes to IoT. While most have developed policies around BYOD, they can’t track the smart devices that employees use outside of the workplace – and each of those devices represents a potential point of vulnerability that could allow hackers access to corporate assets. Invest in raising employee awareness of the threats posed by smart devices purchased for their home and work IoT protective language into your security policies.
Users, at least heed the fundamentals. To date, there’s no universal rating system akin to the UL labels for electrical products, but a little common sense and basic hygiene can still go a long way. Please, please, please change the passwords on smart devices. An alarming number of people don’t bother to change the default settings of their “things.” The findings of ESET in a study done in collaboration with the NCSA revealed that 29 percent of those surveyed in a recent ESET study hadn’t changed the router password from its default setting while another 15 percent didn’t know if they had. They also didn’t track the number of devices hanging off of those routers very well. Nearly a quarter of respondents – 22 percent – said they had 4-7 devices connected to their home router, but 14 percent of those didn’t know how many devices were connected.
Device makers, force users to clean up their act by being more vigilant about security. Some say private companies have a better chance riding herd over their own ecosystems than regulators and legislators because they can push users to follow solid cybersecurity practices by denying them access to resources if they don’t change their passwords or update their devices. I know, I know, “security is too expensive” is an argument that has gained traction and justified taking a whole bunch of shortcuts, but the costs are nothing compared to the expense of cleaning up your reputation among customers and investors after your products are implicated in a whopper of an attack. Plus, as LifeLock Neil Daswani says, if security is baked in from the get-go and sprinkled throughout the lifecycle of an IoT device, rather than imposed retroactively, “it’s much cheaper to do.”
If you’d rather the end of your IoT story read more like The Tangerine Bear than Seed of Chucky, then it’s time to do just that.