October 23, 2016
Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet, as hackers build vast networks of “Internet of Things” devices to bombard websites with traffic.
The attack on Dyn, a domain name service provider, that disrupted access to high-profile sites such as Twitter, Spotify and the New York Times on Friday, highlighted the risks posed by the billions of devices connected to the internet with little or no cyber security protections. Unidentified hackers took over tens of millions of devices using malicious software called Mirai, making the attack much more powerful and harder to defend against than the average distributed denial of service attack.
In a rush of excitement about the prospect of controlling houses and office buildings from smartphones — changing the temperature or detecting burglars using cameras — many manufacturers with little experience of cyber security have connected devices to the internet.
Regulators have not yet created clear rules on how they should be protected and even businesses are finding well meaning suppliers or facilities managers have accidentally created holes in their corporate networks by adding connected devices.
Michael Sutton, chief information security officer of Zscaler, a cloud security company, says Friday’s attack would be a “wake-up call” for the hardware industry.
“Security in the hardware industry is a decade behind where it is in the software industry,” he says. “Mirai was successful because so many webcams, digital video recorders, etc have been produced with default passwords that have never been changed. A simple internet scan identifies them and they can quickly be compromised.”
Cyber security experts have been warning about the risk of “Internet of Things” devices for years, staging high-profile hacks at their annual conference Def Con that show how everything from connected cars to insulin pumps could be hacked. But often it has been hard to see why a cyber criminal would target an individual’s device, unless to expose the activity of a person in the public eye or cause harm to a political figure. This attack showed even if a connected device is not necessarily a huge threat to its owner, it could be used maliciously to attack others.