What is IoT?
IoT stands for Internet of Things. In easiest to understand terms, think of home automation and the devices that connect to your wireless network so you can manage them using your phone. For example, know how there is an app for your Nest thermostat or your smart light bulbs so that you can change their color? Well, those are IoT devices. There are even washing machines that will send the wash cycle info to your dryer so it knows how long to dry it for. Some toasters will even display the weather and also take down Twitter, SoundCloud, Spotify, Reddit, and half the Internet!
Wait…My toaster did what?!
That’s right! Hundreds of thousands of IoT devices were hacked and joined a "Botnet" and took down most of the Internet. A botnet is a group of computers/devices that have been modified to listen to commands from someone and most commonly send massive amount of packets/bandwidth at a target to perform a Denial of Service attack. Essentially, thousands of people ran to the same Walmart you are at, and all got in the checkout line in front of you. You aren’t going anywhere, anytime soon! But how could this happen? Well, that part is easy. Every IoT device has a mini operating system built into it, and every operating system needs a password to control it. Unfortunately over the last few years, manufacturers of IoT devices have been setting the administrator password to these devices as the word ‘password’. In other words, anyone can control these devices if they know the ‘password’. Pretty easy to guess that one right?!
Unfortunately, this is the hard part. You as an end-user/consumer, there is little to nothing we can do. We certainly didn’t make these devices, we just turned them on! In reality, it is up to the manufacturer to ensure stronger passwords with operating systems that are secure. In the USA, the NIST(National Institute of Standards & Testing) has come out calling for some regulations to force manufacturers to do exactly that. Unfortunately, as we all know, most things aren’t made in America anymore. It is actually up to electronics manufacturers in Taiwan, South Korea, China, etc to do exactly this. Do you think they will listen to NIST anytime soon?
It’ll get way worse before it gets better.
That’s right! Expect more Denial of Service attacks before manufacturers care enough to fix. They can’t fix these things overnight, that will take lots of time for software development teams to find the bugs that were exploited, fix them, and then make new products that are secure. Meanwhile, hundreds of thousands of IoT devices will be bought, installed, activated, and joined to a botnet!
Thanks…Anything we can do now?!
As an IT consultant, there are definitely things we can do to ensure we aren’t joining the botnets causing the death of the Internet. We can provision firewalls that will prevent the IoT devices from reaching the open Internet to get hacked. Perhaps when opening a port in the firewall, you only whitelist your IP range. That would prevent your devices from being talked to by anyone else but you. An open port is a dangerous port. Always utilize whitelisting of IPs! IT professionals at the data center level can also find ways to restrict traffic from IoT devices that are hacked. But you personally? Not much other than ensure your computers are virus free and always up to date with Windows and OSX updates, because they too can join a botnet!