|By Peter Silva||
|February 18, 2017 12:00 PM EST||
Security Trends in 2016: Securing the Internet of Things
Whenever you connect anything to the internet, there is risk involved. Just ask the millions of IoT zombies infected with Mirai. Sure, there have been various stories over the years about hacking thermostats, refrigerators, cameras, pacemakers, insulin pumps and other medical devices along with cars, homes and hotel rooms…but Mirai took it to a new level.
And it’s not the only IoT botnet out there nor are these nasty botnets going away anytime soon. There’s a gold mine of unprotected devices out there waiting to either have their/your info stolen or be used to flood another website with traffic.
This is bound to compound in the years to come.
A recent Ponemon Institute report noted that an incredible 80% of IoT applications are not tested for vulnerabilities. Let’s try that again – only 20% of the IoT applications that we use daily are tested for vulnerabilities. There’s probably no indication or guarantee that the one you are using now has been tested.
Clearly a trend we saw in 2016, and seems to continue into 2017, is that people are focusing too much on the ‘things’ themselves and the coolness factor rather than the fact that anytime you connect something to the internet, you are potentially exposing yourself to thieves. There has been such a rush to get products to market and make some money off a new trend yet these same companies ignore or simply do not understand the potential security threats. This somewhat mimics the early days of internet connectivity when insecure PCs dialed up and were instantly inundated with worms, viruses and email spam. AV/FW software soon came along and intended to reduce those threats.
Today it’s a bit different but the cycle continues.
Back then you’d probably notice that your computer was acting funky, slowing down or malfunctioning since we interacted with it daily. Today, we typically do not spend every waking hour working with our IoT devices. They’re meant to function independently to grab data, make adjustments and alert us on a mobile app with limited human interaction. That’s the ‘smart’ part everyone talks about. But these botnets are smart themselves. With that, you may never know that your DVR is infected and allowing someone across the globe (or waiting at the nearest street corner) watch your every move.
Typical precautions we usually hear are actions like changing default passwords, not connecting it directly to the internet and updating the firmware to reduce the exposure. Software developers, too, need to plan and build in security from the onset rather than an afterthought. The security vs. usability conundrum that plagues many web applications extends to IoT applications also. But you wouldn’t, or I should say, shouldn’t deploy a financial application without properly testing it for vulnerabilities. There the risk is financial loss but with IoT and particularly medical/health devices the result can be deadly.
Mirai was just the beginning of the next wave of vulnerability exploitation. More chaos to come.
- Rise of the Machines Report – Institute of Critical Infrastructure Technology (pdf)
- The Botnet that Broke the Internet Isn’t Going Away
- Mirai Strikeback – an iRule to kill IoT Bot Processes from your F5
- Security Sidebar: Regulating the Internet of Things
- Hotel ransomed by hackers as guests locked in rooms
- 80% of IoT apps not tested for vulnerabilities, report says
- Awesome IoT Hacks (Github)
- RSA 2017: The Internet of Things security threat
- What Is #MQTT? | @ThingsExpo #IoT #M2M #RTC #DigitalTransformation
- What to Expect in 2017: Mobile Device Security | @ThingsExpo #IoT #M2M #Mobile
- What Is Virtual Desktop Infrastructure | @CloudExpo #VDI #Cloud #DataCenter
- What Is a Proxy? | @DevOpsSummit #Agile #DevOps #ContinuousDelivery
- Lightboard Lessons: What is a Proxy?
- Social Login to Enterprise Apps using BIG-IP & OAuth 2.0
- Q/A with Admiral Group’s Jinshu Peethambaran – DevCentral’s Featured Member for March
- Protecting API Access with BIG-IP using OAuth
- Lightboard Lessons: Service Consolidation on BIG-IP
- Q/A with Betsson’s Patrik Jonsson – DevCentral’s Featured Member for April
- Cloud Computing Making Waves
- Bit.ly, Twitter, Security & You
- Global Distributed Service in the Cloud with F5 And VMware
- Lori MacVittie Interview at Cloud Connect
- Working with One of the Top Ten Women in the Cloud
- Create a Smarter Storage Strategy
- The Threat Behind the Firewall
- Will Open Source Open Doors for Cloud Computing?
- Oracle Data Guard Sync Over the WAN with F5 BIG-IP
- 2010 Year End Security Wrap