2017 – The Year of IoT (In)Security

//2017 – The Year of IoT (In)Security

The last 12 months signaled a real watershed in IoT security. Exactly one year ago the first ever IoT botnet burst to the world scene with an attack so big it left the world gapping for air. Since then we’ve witnessed several other such attacks that have forced a mentality change within the IoT industry, the security industry, regulators and the general public. So, this is what happened in IoT security in 2017.

Mirai debuts

The original IoT botnet was first discovered back in August 2016, then launched an attack on Brian Krebs’s website in September and then brought down large part of the web services on the east coast of the US in October’s Dyn attack. What started out as a ploy to gain more traffic to the online popular game “Minecraft” turned out to be a devastating worm that infected numerous connected devices and was leveraged for a DDoS attack larger than anything previously conceived

Mirai and his nefarious brother, Brickerbot were both active and kept spreading in various geographies throughout the year. The same types of bots were utilized for such attacks as the DDoS attack that crippled a US college for 54 hours straight.

New botnet Attacks

But Mirai was not alone- new and dangerous types of botnets kept appearing throughout the year- first the IOT Reaper botnet and then the Satori botnet – both of which proves that the Mirai botnet was not a one-time incident, but more of a proof of concept, demonstrating the potential impact and igniting the imagination of hackers to create new and improved versions.

Law enforcement

With all this malicious IoT activity it may seem like law enforcement agencies are overwhelmed by IoT risks. In fact, agencies have learnt to cooperate better in recent years (as a reaction to the global cybercrime and espionage epidemic), and had some major success fighting IoT cybersecurity- as taking down the Andromeda botnet  and the arrest, trial and conviction of the Mirai authors.

Public awareness

It seems that the large-scale attacks have definitely raised awareness for the risks IoT embodies. However, the impact is not unison between customers, organizations and decision makers. It seems that consumers, even though now aware of the potential implications, are more keen on acquiring IoT (or “Smart”) devices, regardless of their security levels, (Consumers Want IoT Toys Regardless of Security, Survey Finds. In fact, a recent survey found that 53% of responder state that IoT will makes their life easier, yet only 9% have a high level of trust that their data collected and shared via IoT is secure.

Enterprises also acknowledged this risk, but less than half of companies surveys actually secure their devices- as little as 11% (from the total spend on IoT) is aimed at security.

Regulation is coming

With such high discrepancy between the need for security and it’s manifestation, it’s no wonder that both consumers and businesses favor more stringent IoT Security regulation- a fact we’ve written about recently in our blog.

Recent studies show that over 90% of responders (both segments) have called for greater oversight and regulation/ standardization of IoT security. Lawmakers are aware of this and several countries have begun enacting laws to guarantee consumers’ privacy and security while sing IoT devices. For instance- Two U.S. senators have introduced a bill titled:” The Internet of Things Consumer Tips to Improve Personal Security Act,” that would require the Federal Trade Commission to develop cyber-security resources for consumers, addressing how consumers can protect themselves against cybercriminals targeting internet-connected devices. Germany has banned the sale of connected children’s toys and Australia is hoping to introduce an “IoT security rating” system, to allow consumers to make educate decisions about purchasing connected devices.

Summary

If anything, 2017 proved that IoT embodies risks that can no longer be ignored. Governments (regulators), the public and the industry must all strive to create standards and demand better security from manufacturers and service providers. If we fail to so, we fear what we’ve seen in 2017 was just the beginning. Have an IoT-secured year in 2018!

 

Contact us to learn more about our real-time security capabilities for securing IoT devices – [email protected].

2018-10-23T09:30:14+02:00 December 20th, 2017|