He cited the leaking of the source code for the Mirai IoT botnet. This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices. They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded.
In 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets. Expect to see IoT botnets explode next year, he says.
Mike Davis, CTO at CounterTack, believes IoT will continue to be a part of the threat conversation in the coming year, but fundamentally there will be a massive change in the risks associated with the devices — it won’t be about security, it will be about patching.
Hold your IoT security hypberbole
Stan Black, CSO at Citrix, says we need to dispel security myths around emerging technology like IoT, machine learning and artificial intelligence.
“Many people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply. Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,” he says.
Adoption of emerging tech like IoT can actually have more security benefits than challenges, if implemented correctly, Black says. The same goes for machine learning. The security wave of the future includes these technologies, so it’s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture.
The wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply. Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts.
“The mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc. These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,” Black adds.
These devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army. This situation is nothing new, but in the next year we can expect to see “personal networks of things” reside in homes with gigabit internet connections — like those offered by Google and AT&T — and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built).
Sign up for Computerworld eNewsletters.