The Internet of Things is the place to which we go with the fashion to put Internet to everything: Refrigerators, thermostats, surveillance cameras, washing machines, coffee machines, locks, we already find everything with an Internet connection, and the trend is that we continue to do so with much more insistence.
The problem is that, while we are focusing on putting the Internet to everything we can imagine, nobody is thinking about the security of this Internet of Things. And everything looks so bad that the security of the Internet of Thingscan be violated by amateurs in half an hour.
Mirai, Internet of Things malware in action
Before explaining why, it’s time to put ourselves in the background. In recent weeks the Internet has been hit by one of the largest attacks ever seen. This attack came from a source as surprising as a zombie network made up of cameras and other Internet of Things devices, and was directed at Brian Krebs, a journalist with a long history of revealing attackers. The attack exceeded 660 Gbps of traffic, making it one of the largest ever recorded.
Things get more interesting when, without warning, someone with the nickname of Anna-senpai claimed the author of the attack, and to demonstrate it published the source code of the malware used to create the zombie network. Several groups of investigators have already been investigating Mirai, and the most dangerous thing comes when they come to a clear conclusion: This zombie network has been created by an amateur with half an hour of work..
His greatest fortress is played right above him, in that default user list and passwords of a large series of Internet of Things devices, including reputable manufacturers such as Samsung, Toshiba, Panasonic, Xerox or ZTE. Mirai scans the Internet for these devices, and when it finds them, it proceeds to take control with those users and passwords.
Once in control of a device, it continues to search for devices to infect and gives the user the possibility to perform DDoS attacks on demand -the author’s intention is to make money selling the services of this zombie network-. But a glance at the code, full of memes and with clues that link it to Eastern Europe, reveals that this malware is made by a mere hobbyist.
So much putting the Internet has made us forget security
The point is not that this attack has put the Internet on a war footing, the problem comes when we realize that this enormous attack has been carried out with undoubted success by an amateur. That is to say, Internet of Things security is mediocre at most if such a trivial attack has achieved such results. Even security experts are amazed at the state of security in this expanding field, and if nothing changes, the future will be full of attacks like these.
The race to put Internet on everything can have its advantages and disadvantages, it is not the place to discuss that, but we cannot leave security aside for being the first in having x thing connected. It is of little use to you to have the best connected security camera, or the best connected toaster, on the market if anyone is going to be able to enter it or use it for a denial of service attack
How can I prevent it from happening to me?
Some manufacturers have already put the batteries and force the user to enter their own unique password, but not everyone is doing this good practice, unfortunately. If your device allows it, be sure to use a unique and secure password. If your device doesn’t allow it, maybe it’s time for you to look for one that cares a little more about security.
Also, updates are just as important: They solve holes that can be used to sneak into our devices. If your Internet of Things device does not have updates, or makes you move high and low to install one, go looking for another that updates automatically or requires minimal intervention to do so.