In the fall of 2016, a new kind of attack was launched against web-connected devices. A powerful piece of malware called Mirai hacked into and then harnessed the connectivity of thousands of gadgets, creating a botnet capable of launching a Distributed Denial of Service (DDoS) attack against web platforms, shutting down web access in huge portions of the US and Europe for several hours. Just about a year later, a copy-cat named Reaper took what Mirai had done and multiplied it, gathering a botnet army of somewhere around a million devices. That’s a lot of gadgets, ready and waiting to do the unknown–but certainly nefarious–bidding of a hacker. A DDos attack might, in fact, be the least of our worries–another botnet powerful enough to shut down the web could potentially wreak much more serious havoc on our society.
What makes an attack of this type tricky in a new and unique way is the type of devices it uses to get around and gather horsepower. Unlike viruses that infect PCs or mobile devices—which our security measures are at least somewhat equipped to handle at this point–botnet viruses target any Internet of Things (IoT) devices they can get ahold of. For Mirai, it was Linux devices like routers and IP cameras whose default passwords never got reset. Reaper took things a step further by actively hacking into “a range of consumer and commercial products.” More than anything else, this hack demonstrated the variety of devices that are potentially susceptible to attack. Both of these attacks focused primarily on home and office routers and cameras, but they serve as a startling reminder of all the devices we rarely think of as “hackable” that are, in fact, easy targets. It’s been projected that, by the end of 2018, somewhere in the ballpark of 8 billion devices will be part of the IoT: and very few of these devices are as well-protected as PCs. This leaves a lot of potential targets for the next botnet attack, including any “smart” gadget: app-controlled thermostats, smart locks, even the ubiquitous Amazon Echo. Basically, all the things we use on a daily basis without even thinking.
These devices pose a significant danger at home and at the workplace, and not just because they could be harnessed into a DDoS or similar attack. Consider what information a hacker would be able to access if they breached an IoT device connected to the same network as your PC. Botnets and DDoS attacks aren’t the only risk that IoT devices pose to us—on a smaller but equally destructive scale, hackers can access other data on a network by hacking a poorly protected gadget. This is perhaps even more of a risk at the workplace, where computers are likely to house even more sensitive information than a personal PC. Reaper targeted a million organizations—imagine the kind of information it could have gotten ahold of if its goal had been to access private data through the devices it hacked.
Given that fact, how can we stay secure? How can we ensure that the devices we use–all of them–are safe against outside attack? First of all, be aware of software bugs, and any patches that the manufacturer might offer for them. While few “smart” devices are likely to come with the same caliber of software updates and protections as computers, there are more security implementations available than you might think. Take advantage of them, the same way you would for your PC (and if you’re not updating your PC, that’s an even worse problem).
Something else to keep in mind is this: how many of your “smart” devices are worth the risk? Given that even the best-secured gadget isn’t likely to come close to being as secure as, say, your PC, how many of them do you really want–or need? I would recommend taking an inventory of all devices you own that connect to your network. Some, you can’t do without–like your router. And most routers can be updated regularly. But what about the others? While it might be convenient to turn on your heat from your phone, or for a smart-pod to be able to play your favorite music on-command, is it worth the possibility of a hack? Convenience only comes at a cost. And that cost might just be loss of important data or an internet blackout.
At the end of the day, all progress comes with its own cost/benefit analysis. In many ways, the IoT is making our lives easier and more streamlined. But it’s also making them infinitely riskier and more complicated. Our ancestors’ predictions of artificial intelligence and a world run by robots are not so far off. The IoT is real. It surrounds us. We can limit its hold over our lives, but without retreating to the woods to live as hermits, we’ll never be able to avoid it completely. So, we really only have one option: be smart, and be vigilant. We need to utilize every tool at our disposal, including updates and system checks. We need to educate ourselves about how to keep our systems secure. And we need to stay on top of current threats. As the IoT continues to grow and the risks increase, there’s no greater danger to us than lack of awareness.
Don’t let the threats get ahead of you. Follow the GLS blog here.