enterprisesecuritymag

Attack of the Lightbulbs: How IoT Devices are Used as Internet Weapons

By Chuck Davis, Director of Cybersecurity, Hikvision

Chuck Davis, Director of Cybersecurity, Hikvision

With connected devices, otherwise known as IoT (Internet of Things),rapidly changing the world, many end users forget or do not realize that these devices are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.

Why is it important to remember that these things are computers? It's important because you need to protect those devices from cyberattack, the same way you protect a computer system. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. If left unpatched, the IoT device isvulnerable to attack. 

"With connected devices, otherwise known as IoT (Internet of Things), rapidly changing the world, many end users forget or do not realize that these devices are actually computers"

Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems in place, but IoT devices do not. Even many home routers are not patched automatically. This leaves home networks vulnerable to attack as they are directly connected to the Internet and are not behind a firewall.

So why would someone want to attack your IoT devices? Do attackers really want access to my light bulbs? You may be surprised that the answer is yes. Of course, one lightbulb is of little interest to an attacker, they're interested in many lightbulbs.  Remember that each smart lightbulb is a computer and each of those computers can be infected with malware that gives an attacker control of that device. Once they have infected enough devices, the attacker can use the collective power of all of those computers as an Internet weapon known asa botnet. With a single command, the attacker can direct his or her command-and-control servers to tell each infected device to attack a target on the Internet. This is referred to as a Distributed Denial of Service (DDoS) attack. This is similar to the way that a swarm of fire ants attacks and kills an insect; home routers, IP cameras, and other IoT devices can be used to attack and take down websites or services on the Internet. Such an incident happened in an infamous attack orchestrated in 2016 when the Mirai botnet attack made several popular websites inaccessible. Some of those sites include GitHub, Twitter, Reddit, Netflix and Airbnb, as well as the blog of famous cybersecurity blogger, Brian Krebs. 

With more than 20 billion IoT devices projected to be on the Internet by 2020, this growing threat will not get better until a few things happen.

1. IoT standards must be created and followed by software developers, to have the ability to push security patches to devices. California has started the effort with SB-327, but the language needs much more specificity.

2. Everyone with IoT devices must ensure that their devices are patched regularly. If there is no automated system in place, manual patching is necessary.

3. Put IoT devices behind firewalls. While this is easy to do, a growing number of these devices are put directly on the Internet and left vulnerable to attack.

4. Network segmentation must be used to separate networks with differing trust levels. And this goes for home as well as work: Homeowners should separate IoT devices from regular computers and mobile devices.

While we are currently met with a massive and growing threat to the Internet, education, awareness and standardization can greatly reduce the risks allowing us to move forward. Don't forget to secure your IoT computers!

Read Also

Cybersecurity Strategy - Do You Have One Yet?

Cybersecurity Strategy - Do You Have One Yet?

Dina Moskowitz, CEO and Founder, SaaSMAX Corp
Enterprise Architecture and Culture: Two Parts of Digital Transformation Success

Enterprise Architecture and Culture: Two Parts of Digital Transformation Success

Ethan Pack, Director of Enterprise Architecture and Applications, TDECU
The Future Belongs to the Informed

The Future Belongs to the Informed

Anthony J. Scriffignano, SVP-Worldwide Data

Weekly Brief