Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic — enough said.
With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.
“Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts.
The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed. Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching.
Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network. The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb. This was demonstrated in September in a major DDoS attack on the web site of security expert Brian Krebs. A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs’ site.
“It successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked. If that network also contains the company’s database center, there’s no way to stop the hacker from making a lateral move from the compromised camera to the database,” Vaystikh said. “This should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.”
Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017. Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says.
Mike Kelly, CTO of Blue Medora, agrees, stating that, “the inability to quickly update something, such as your home thermostat, is where we will see the risk. It’s not about malware getting on the devices, the focus will need to be on the ability to remediate the issue. Like we saw with Windows, there will be a slew of vulnerabilities, but unlike with a computer, patching won’t be as easy with IoT devices,” he says.
Sign up for Computerworld eNewsletters.