How the “Internet of Things” Cyberattack Affects Data Security
On Friday October 21, 2016, the Internet traffic management company Dyn DNS was the target of three large-scale DDoS cyberattacks that took down more than 80 popular websites for some of the day. The company believes that some easy-to-hijack smart devices may have been infiltrated to carry out the virtual attacks. And so, the main questions going around at this point are: what does this mean and how did this happen?
DDoS, otherwise known as “distributed denial of service,” attacked Dyn’s New Hampshire-based server early Friday morning and affected several well-known websites—including PayPal, Reddit, Amazon, Spotify, Twitter, and Netflix—across North America.
To be clear, a DDoS attack occurs when a server is overwhelmed with traffic in a targeted attack. According to RT News, the DDoS attacks on Friday targeted Internet of Things (IoT) devices, which covers any object that has a connection to the Internet. Dyn believed that tens of millions of these connected devices—including surveillance cameras, webcams, and smart thermostats—were infected with a malware called Mirai in this attack.
As reported by KrebsOnSecurity, Mirai targets IoT devices that have minimal security protections, such as factory-default usernames and passwords—commonly referred to by experts as the “low-hanging fruit for hackers.” Aside from using default credentials, it is also important for users to create unique and difficult to crack passwords, a different one for each secure website so as to avoid password reuse.
Zack Wikholm, of security firm Flashpoint, weighed in on the attack, “The issue with these particular devices is that a user cannot feasibly change [the] password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present.”
Once the malware finds the products to infiltrate, the devices are used to send out junk traffic at online targets until the sites can no longer accommodate legitimate users.
“It is a very smart attack,” Dyn chief strategy office Kyle York said to Sky News. “As we start to mitigate they react and start to throw something that’s over the top.”
While the cyberattack may be deemed “smart,” it’s worth noting that experts have been warning users about the possible security risks for Internet of Things. RT News reports that cybersecurity experts have cautioned that the IoT is an easily exploitable area in corporations and can effectively be used in mass cyberattacks. However, the security holes that they feared were predominantly hypothetical what-ifs, and the recent attack was stronger and faster than had been predicted.
Business Insider reports that using IoT devices as soldiers for malware is “one of the most effective ways to launch cyberattacks.”
Given these pre-existing vulnerabilities and the consequences they pose to organizations and their users, the main questions, then, should be: what is being done to prevent attacks like this from happening and how can you protect your company?
QZ says that “The Internet of Things is expected to only get more dangerous over time… as more ‘machine to machine’ connections go online… there will be even less manual oversight of connected devices, meaning greater potential for their hijacking and abuse.”
The news source reports that the Internet of Things Security Foundation is developing a framework for manufacturers so that their devices meet security best practices. Until that framework has been formed and executed, imminent attacks and product vulnerability are still at risk. “Manufacturers aren’t subject to any certifications when it comes to putting IoT devices on the market right now… although existing laws have been used to prosecute hackers for DDoS attacks.”
A group that calls itself New World Hackers has claimed responsibility for the attacks and is currently being investigated by Homeland Security.
A Business Insider Intelligence report notes that the Internet of Things will likely become the largest device market in the world and is expected to reach double the size of smart phones, PCs, and tablets combined by 2019.
In order to stay compliant and safe from a cyberattack, companies should treat cybersecurity as a top priority. Make sure you follow best practices when implementing data security in your workplace and read about what makes effective data security training in our data security whitepaper.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.