Cyber Security
Your mum & IoT security
O By Morry Morgan IoT & Technology Correspondent
50 | Asia Pacific Security Magazine
n October 21, 2016 the USA suffered one of the largest cyber attacks of its kind. But this wasn’t the Russians. The culprits were much more terrifying. Thanks to the boom in Internet of Things (IoT) devices and poorly configured innate security features, the culprits were ordinary and naïve mums and dads spread across 164 countries. To be more precise it was their 500,000 plus unsecured routers, digital video recorders (DVRs), security cameras, and even refrigerators that caused the outage – turned into ‘zombies’ by a botnet called Mirai. These mundane appliances, albeit with Internet connectivity, were one minute keeping vegetables fresh or recording an episode of Game of Thrones, and the next sending look up requests with the combined volume of 1,100 gigabits per second; all to a single IP address. Had the victim been a lone website, as was the case in December 31, 2015 when the BBC was hit by a Distributed Denial of Service (DDoS) attack from ‘New World Hacking’, only a small number of users would have been inconvenienced. But the Mirai botnet was more strategic. It attacked the Domain Name Service (DNS) provider, Dyn, based in New Hampshire, and in doing so made the websites of Amazon.com, AirBnB, Netflix, and over 70 other significant companies, invisible for six hours. The IoT had successfully been used for evil, at a cost to companies of roughly $110 million in potential lost revenue. Mirai represents a new type of threat for the interconnected world. By its very nature, IoT creates the condition for rapid proliferation of botnets that often have, as was the case for Mirai, scanning programs that automatically search the Internet for unsecured devices. They then infect,
replicate and then hibernate, until a command is given to awaken and unleash cyber chaos. Worse still, IoT DDoS attacks originate from thousands or even hundreds of thousands of devices worldwide, whose owners are completely ignorant that they are accomplices in a crime. And even if they did know, many IoT devices have no simple patch, update, or virus scanning functionality, meaning the IoT device will be part of the problem until it is replaced. That could be years or decades. In the mean time, the exponential growth of IoT devices is estimated to reach 20 billion by 2020. One solution lies with the regulation of manufacturers. Frank Zeichner, the CEO for IoT Alliance Australia (IoTAA), says that modems in Australia that are “behaving badly” are visible to Internet Service Providers (ISPs) and that these ISPs are responsible for sharing this information with the Australian Communications and Media Authority (ACMA). But while vulnerabilities are being reported, “currently in Australia they are not being acted upon. There are no teeth in responding to this threat.” Zeichner believes that it’s just as important to get information out to the consumers regarding the vulnerability of their routers, cameras and IoT enabled white goods. But he adds that this education will take time and investment. “If Harvey Norman sales people don’t know about the vulnerabilities, then their customers aren’t likely to know either.” This is made further challenging by the eagerness of many manufacturers to release ‘smart’ products without complete understanding of the repercussions of lax security. Evidence to this is last week’s warning that an IoT dishwasher, produced by German white goods giant