On October 22, 2016, 100,000 infected Internet of Things (IoT) devices took down many popular websites, including Twitter, Spotify and Reddit. The devices were used in a large-scale distributed denial of service (DDoS) attack against hosting provider, Dyn.
Many of the devices targeted were traced back to XiongMai Technologies of China, which manufactures equipment and software for DVRs, NVRs and IP cameras. Hackers accessed the systems via default passwords that were left unchanged.
The kicker? Users weren’t able to change the passwords. According to Flashpoint, “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.” To prevent future incidents, security needs to be prioritized by manufacturers when designing devices. Otherwise, attacks involving IoT devices will continue.
Lack of Industry Security Standards
How do manufacturers get away with weak device security?
One issue is that there aren’t universally accepted IoT security standards. This means that manufacturers are not required to build devices to meet minimum security thresholds, and it’s hard for consumers to assess products on the market.
Compare this to the automobile industry, in which the National Traffic and Motor Vehicle Safety Act ensures safe vehicles through manufacturer guidelines and testing.
While government-mandated standards may not be the best route for IoT, the industry does need to step up and create standardized security measures to protect consumers.
Be an Informed Shopper
However, right now, “there’s not much economic incentive for IoT device makers to add security protections,” according to U.S. Senator Mark Warner. Therefore, until industry standards are created, we need to get smarter and put pressure on manufacturers to increase device security.
Be informed…research a device before you purchase it. Search online to see if it has been involved in hacks or has any noted security flaws. Invest in companies that prioritize security. The best way to fight back is with your pocket book.
Some basic security features to look for in devices include:
- Randomized default usernames and passwords versus one shared by all devices.
- Ability to update defaults to a unique username and password upon purchase.
- Proactive alerts if device vulnerabilities are found.
- Automatic roll out of software updates/security patches.
- An easy-to-navigate user interface and set up wizard.
In addition, ask your Internet service provider (ISP) about whether they offer Best Current Practice (BCP-38). If your device gets infected, this would block spam at the router level before it gets distributed online. ISPs may also provide notification services if your network traffic looks suspicious. The more demand ISPs get from consumers for these features, the more likely they are to implement them universally.
Once a device is purchased, ensure it is set up securely with these tips.
Are your devices properly protected? For help proper installation of your home automation equipment, contact Vector Security today! Our experts can help ensure your devices are secure.