The biggest security risks at the center of all this rapid IoT expansion are simple to address, but we have a long road before better security across the board addresses these vulnerabilities. There is plenty of blame to go around, some of the issues fall on users, and some goes to manufacturers. The tried and true practices of password management and system updates are the culprits here, and the details are important.
If you have been using routers or any other connected device and haven’t changed the default username or password, you might just want to stop what you are doing and change it NOW.
Major IoT DDoS attack
KrebsOnSecurity, a blog that focuses on cyber crime and internet security, was recently hit with a distributed denial-of-service attack and has now shared the anatomy of the malware behind it. Called Mirai, the malware crawls the Internet to find connected systems that are using factory default usernames and passwords. Based on the Mirai source code, affected devices range from security cameras, wireless printers, digital video recorders from generic brands to ones from Samsung and Panasonic. Fortunately, it is not that easy to match the username and password combination from the source code to the actual hardware.
Will Dormann, senior vulnerability analyst at the CERT Coordination Center, suggested that hardware makers should not set default usernames and passwords in their products as only a few people will actually change them. Instead, hardware makers should require users to input their own username and password upon setup to ensure users are taking a proactive approach in keeping their devices and network safe.
IoT security tips
If you have not changed the default login credentials, there’s a good chance you are part of the IoT botnet. Good news is, Mirai is said to be loaded into the memory which means disconnecting the device from the power source wipes it out.
KrebsOnSecurity recommends doing a factory reset of the device as just changing the password will only resolve the issue for a few minutes as the malware is constantly scanning for vulnerable systems. But the real issue here is that many hardware makers do not push out software updates which leaves devices vulnerable to attacks. And changing anything on a device is not always that simple.
“When it comes to software updates, automatic updates are good,” Dormann said. “Simple updates that notify the user and require intervention are okay. Updates that require the user to dig around to find and install manually are next to worthless. Devices that don’t have updates at all are completely worthless.”
The same can be said of traditional computing, yet these problems certainly persist. In this case, and with IoT, it is more likely that there are even-less-technical users at the helm, and that is a big problem.
Image credit: Pixabay