enterprisesecuritymag

Attack of the Lightbulbs: How IoT Devices are Used as Internet Weapons

By Chuck Davis, Director of Cybersecurity, Hikvision

Chuck Davis, Director of Cybersecurity, Hikvision

With connected devices, otherwise known as IoT (Internet of Things),rapidly changing the world, many end users forget or do not realize that these devices are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.

Why is it important to remember that these things are computers? It's important because you need to protect those devices from cyberattack, the same way you protect a computer system. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. If left unpatched, the IoT device isvulnerable to attack. 

"With connected devices, otherwise known as IoT (Internet of Things), rapidly changing the world, many end users forget or do not realize that these devices are actually computers"

Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems in place, but IoT devices do not. Even many home routers are not patched automatically. This leaves home networks vulnerable to attack as they are directly connected to the Internet and are not behind a firewall.

So why would someone want to attack your IoT devices? Do attackers really want access to my light bulbs? You may be surprised that the answer is yes. Of course, one lightbulb is of little interest to an attacker, they're interested in many lightbulbs.  Remember that each smart lightbulb is a computer and each of those computers can be infected with malware that gives an attacker control of that device. Once they have infected enough devices, the attacker can use the collective power of all of those computers as an Internet weapon known asa botnet. With a single command, the attacker can direct his or her command-and-control servers to tell each infected device to attack a target on the Internet. This is referred to as a Distributed Denial of Service (DDoS) attack. This is similar to the way that a swarm of fire ants attacks and kills an insect; home routers, IP cameras, and other IoT devices can be used to attack and take down websites or services on the Internet. Such an incident happened in an infamous attack orchestrated in 2016 when the Mirai botnet attack made several popular websites inaccessible. Some of those sites include GitHub, Twitter, Reddit, Netflix and Airbnb, as well as the blog of famous cybersecurity blogger, Brian Krebs. 

With more than 20 billion IoT devices projected to be on the Internet by 2020, this growing threat will not get better until a few things happen.

1. IoT standards must be created and followed by software developers, to have the ability to push security patches to devices. California has started the effort with SB-327, but the language needs much more specificity.

2. Everyone with IoT devices must ensure that their devices are patched regularly. If there is no automated system in place, manual patching is necessary.

3. Put IoT devices behind firewalls. While this is easy to do, a growing number of these devices are put directly on the Internet and left vulnerable to attack.

4. Network segmentation must be used to separate networks with differing trust levels. And this goes for home as well as work: Homeowners should separate IoT devices from regular computers and mobile devices.

While we are currently met with a massive and growing threat to the Internet, education, awareness and standardization can greatly reduce the risks allowing us to move forward. Don't forget to secure your IoT computers!

Weekly Brief

Read Also

Blockchain: The Paradox

Blockchain: The Paradox

Sean Khozin, MD, MPH, Associate Director, FDA
Blockchain and the Law: How a Simple Project can get Complicated Quickly

Blockchain and the Law: How a Simple Project can get Complicated...

Evan Abrams, Associate, Steptoe & Johnson LLP
The Prevalence of Blockchain

The Prevalence of Blockchain

Matt Barbaro, Director of Applications & BI at BI, Town Fair Tire
Unfolding the Real Potential of Blockchain

Unfolding the Real Potential of Blockchain

Vincent Annunziato, Director of Business Transformation and Innovation, U.S. Customs and Border Protection
The Truth About Blockchain: Separating the Hype from its Value-Creating Reality

The Truth About Blockchain: Separating the Hype from its...

Arun Ghosh, U.S. Blockchain Leader, KPMG US
Coopetition: The Secret to Blockchain's Success

Coopetition: The Secret to Blockchain's Success

Dale Chrystie, Blockchain Fellow, FedEx [NYSE: FDX]