With the rapidly changing world of connected devices, known as the Internet of Things (IoT), many people do not realize that these “things” are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.
It is important to realize that these “things” are computers because you need to protect them from cybersecurity attacks the same way that you protect a standard computer. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. Left unpatched, the IoT device is vulnerable to attack.
Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems that push patches out to vulnerable computers running their software, but most IoT devices do not. Even many home routers are not patched automatically which leaves home networks vulnerable to attack because they are directly connected to the Internet and are not behind a firewall.
So why would someone want to attack your IoT devices? Do attackers really want access to your light bulbs? You may be surprised that the answer is yes. Of course, one lightbulb is of little interest to an attacker, they're interested in many lightbulbs. Remember that each smart lightbulb is a computer and each of those computers can be infected with malware that gives an attacker control of that device. Once they have infected enough devices, the attacker can use the collective power of all of those computers as an Internet weapon called a botnet. With a single command, the attacker can direct his or her command-and-control servers to tell each infected device to attack a target on the Internet. This is referred to as a Distributed Denial of Service (DDoS) attack. Much like the way a swarm of fire ants can attack and kill a small animal, home routers, IP cameras, and other IoT devices can be used to attack and take down websites or services on the Internet. This happened very famously in 2016 when the Mirai botnet attack made several popular websites inaccessible. Some of those sites include GitHub, Twitter, Reddit, Netflix and AirBnb, as well as the blog of famous cybersecurity blogger, Brian Krebs.
With more than 20 billion IoT devices projected to be on the Internet by 2020, this growing threat will not get better until we make some changes.
IoT standards must be created and followed by software developers, to have the ability to push security patches to devices. California has started the effort with SB-327, but the language needs much more specificity.
Everyone with IoT devices must ensure that their devices are patched regularly. If there is no automated system in place, manual patching is necessary.
Put IoT devices behind firewalls. While this is easy to do, a growing number of these devices are put directly on the Internet and left vulnerable to attack.
Network segmentation must be used to separate networks with differing trust levels. And this goes for home networks as well as work networks: Homeowners should separate IoT devices from regular computers and mobile devices.
We are currently met with a massive and growing threat to the Internet, but education, awareness and standardization can reduce the risks moving forward. Don’t forget about your IoT computers!
Note: This is a variation of an article I wrote for Enterprise Security Magazine.