A growing trend in the consumer electronics industry is the use of so-called “smart” devices — electronics that use wi-fi connections to allow them to be controlled remotely over the internet. From smart thermostats that can be adjusted and set remotely to toasters and coffee makers that can be programmed to operate at specific times on specific days, smart devices are fast becoming a part of all of our lives.
But are these smart devices and their connectivity secure? Any device capable of accessing the internet can, itself, be accessed by those on the internet. So what happens when that access is used for nefarious purposes? Incidents over the last couple weeks provide insight on that question.
Last week, a security news website was shut down for more than 24 hours following an attack on the website’s servers. The attack saw the website bombarded with what those involved estimated was a 620 gigabit-per-second distributed denial of service (DDoS) attack. Such attacks are orchestrated by hackers who take control of various computers and other internet devices and program them to simultaneously attempt to access one particular website that is the focus of the attack. The sudden influx of massive volumes of data to the website’s servers overwhelms the operations and causes the affected website to shut down. While such attacks are not uncommon, two things made this particular DDoS attack of interest to those in the cyber security area. First, the massive size of the attack was believed to be a record for such DDoS attacks. Prior to this attack, the biggest DDoS attacks were found to be in the range of 350 Gbps. And, second, the attack appeared to emanate from an ensemble of routers, security cameras, and other so-called “smart,” internet-connected devices.
Warnings have existed for some time that such devices, referred to collectively in the cyber security community as the internet of things (or “IoT”) can be unsecured and vulnerable. This particular attack showed what use of a collection of computing devices could accomplish.
The attack last week was followed this week by another attack, this time on a French Web host. But this attack was more than 60 percent bigger — peaking at 1.1 terabits per second. This attack also used a collection of hacked devices, specifically internet-connected cameras and digital video recorders (each with a capacity of 1 Mbps to 30 Mbps) to shut down the web host’s operations. Those involved estimated that the attack used more than 15,000 devices over 48 hours.
Experts have warned for years that the IoT was susceptible to hacking and attack. Attacks last year on Sony’s PlayStation Network and Microsoft’s Xbox Live were powered by hacked home routers that were cobbled together into a massive coordinated and automated network (referred to as a botnet). Earlier this year another security firm discovered a botnet of 25,000 closed circuit TVs was being used to attack a jewelry store. And concerns have been raised regarding smart medical devices (like pacemakers and insulin pumps) and whether hacking of those devices is possible and the serious health concerns that could accompany such hacks.
More troubling is the fact that it is not easy for most people to know whether their connected devices (like routers, DVRs, thermostats, printers, etc.) are infected or have been hacked. Most IoT devices have only a minimal control panel and cannot run antivirus software. Depending on the type of attack being used, the devices themselves may show no outward signs that they are participating in such an attack.
So what can be done to prevent IoT devices from being hacked and used against us?
First, manufacturers of such devices need to take cyber security seriously. Both the FTC and the FDA have issued guidelines and draft guidelines respectively on cybersecurity and the IoT. These guidelines outline specific steps, processes, and procedures for manufacturers to implement for monitoring and maintaining the security of their devices. It is a good idea for manufacturers of any “smart” or internet-connectable products to be familiar with these guidelines and to work with privacy counsel on taking steps to secure such devices prior to and during development, through the time of sale and the lifetime of the device.
Second, for consumers (both home and business) you should understand what connectable devices you have in and around your home and business. Many people may be surprised to learn the number of IoT devices they currently deploy. There is no reason to ban such devices from your home or business — they are useful and even necessary for our connected lifestyles. But you should understand the implications of such devices. While DDoS are one hazard that such devices can be used for, this is but the tip of the iceberg. A connectable device on your network may have access to every part of your network. Before connecting such devices, you should determine if your IoT device truly needs to be connected to the internet at all. While devices like routers and modems obviously must be connected to the internet, just because your other “connectable” device can be connected does not mean you need to do so. Disable internet capabilities on your IoT devices where they are not needed. If they cannot access the web, then the web cannot access them.
Third, for any device you have that needs to connect to the internet, make sure you change any and all default passwords that may be used with those devices. Devices, when sold, come with a default password. Those default passwords are often of very low security (password1234, password, etc.). That password should be changed before the device is set up and connected at your business or home. Failure to do so leaves a door open to your system that hackers can easily exploit.
Fourth, you should be prepared. You should work with your privacy counsel on incident response plans. You should have plans to respond to DDoS attacks (and expect those attacks to be of a larger size and to incorporate IoT coordinated botnets). You should make sure that your company has procedures and policies for identifying and accounting for IoT devices in the workplace, not just business related but personal devices as well. And you should stay informed of the latest trends in cyber security.
Thompson Coburn has a team of attorneys with experience helping companies of all sizes prepare for and respond to incidents like this. If you have any questions about this article or any other topic regarding cybersecurity and breach preparedness and response, please feel free to contact us.