Skip to main content
Santa Clara University
Information Services
Information Security

Blog Posts

  1. Home
  2. Information Services
  3. Information Security Office
  4. Blog: Tips and Advice
  5. Blog Posts
  6. The Internet of Things
A hand reaching toward interconnected technology icons representing IoT (Internet of Things).

A hand reaching toward interconnected technology icons representing IoT (Internet of Things).

The Internet of Things

Nora McGinley
As the cost of connecting to the Internet has gone down, more and more everyday devices are being made to connect online. These devices, which make up the Internet of Things, introduce new security challenges.

What is the IoT?

As the cost of connecting to the Internet has decreased, more everyday devices are being made to connect online. These devices, from your Fitbit and WiFi-enabled camera to your car and household appliances, make up the network of interconnected devices known as the Internet of Things. The number of devices connected to the Internet is growing rapidly. Today, there are around 4.9 billion devices on the Internet, with some experts projecting that number will rise to 24 billion devices by 2020.

Not only are designs in the works to connect most of your electrical devices to the Internet, but soon everything from the clothes you wear to the roads you drive on may also be equipped with sensors and Internet access. Consumers, governments, and businesses are all participating in the Internet of Things, which introduces massive security vulnerabilities for cybercriminals to exploit.

IoT security flaws

When mass-producing cheap, connected devices, security isn’t always a priority for manufacturers. Over the past two years alone, participants at the hacking convention DEFCON have found 113 critical IoT security flaws, including ways to access a smart door lock using the victim’s phone, damage solar arrays, and take control of smart wheelchairs.

Here are some common IoT flaws:

  • Many IoT devices are manufactured with insecure default settings that are nearly impossible to change. Some devices may have hardcoded usernames and passwords, firmware that is impossible to update, or no system for disseminating security patches to customers.
  • More and more data about users’ habits, locations, and activities are being entrusted to IoT device manufacturers, which can be misused. Without strong security and regulation, this information could be exploited by advertisers, criminals, or governments in unintended ways.
  • Small processors in IoT devices often cannot support robust forms of encryption and other security best practices. A study by HP’s Fortify found that 7 out of 10 IoT devices don’t encrypt communication to local networks and the Internet, 7 out of 10 allowed account enumeration, 6 out of 10 were vulnerable to cross-site scripting, and 8 out of 10 didn’t require sufficiently strong passwords.

The Mirai botnet attack

Some of these security flaws mean that IoT devices can be commandeered by malware and organized into a “botnet” used to bombard a target with traffic until it collapses. This type of attack is called a distributed denial of service (DDoS) attack. DDoS attacks are challenging to defend against because targets often can’t differentiate between legitimate and botnet traffic. They are effective because, while building a botnet is cheap for attackers, targets usually don’t have the know-how or resources to resist a DDoS attack.

On October 21, 2016, the largest DDoS attack in history targeted Dyn, a company that manages large portions of the Internet’s domain name system (DNS) infrastructure. DNS resolves URLs into IP addresses, making it essential for accessing websites. By taking down Dyn, this cyberattack successfully brought down sites like Netflix, Reddit, Twitter, Spotify, Soundcloud, and more that depend on Dyn’s services. The attack, mainly with Mirai malware, exploited IoT devices using default usernames and passwords, hijacked them, and incorporated them into a vast botnet to overwhelm its targets with traffic.

DDoS attacks are not new to cybersecurity, but this attack relied mostly on DVRs and IP cameras instead of PCs, making it much larger than other botnets (source). According to a blog post by Dyn, the attack involved tens of millions of IP addresses and directed a record-breaking 1.2 Tbps of data at its target. After 2 hours, Dyn mitigated the attack, then mitigated again one hour after a second attack wave.

Soon after, an unidentified user using the moniker “Anna-senpai” released the source code used in the Dyn attack on Hackforums, likely to avoid sole possession of the code if targeted by law enforcement. This also means that less skilled hackers now have access to the botnet. Recently, security journalist Brian Krebs wrote an extensive blog post tracing the identity and online presence of Anna-senpai, recommended for anyone interested in the story. For more information, you can check out his other stories on the Internet of Things and its surrounding market.

Could your device be infected?

Many of the devices used in the Mirai botnet are behind routers and cannot be directly accessed from the Internet; Mirai accessed these devices through ports opened by Universal Plug and Play (UPnP), a networking protocol that allows devices to discover each other's presence. If you suspect UPnP has opened a port on your device, Krebs recommends running Steve Gibson’s UPnP exposure test, unPnP. If your devices still use a default password, rebooting them and resetting them to factory settings will clear botnet malware off your device. Make sure to change your default password immediately to prevent reinfection.

Unfortunately, even if you change your password using the web interface, botnets may still access your device using other methods like Telnet and SSH interfaces. Many manufacturers hardcode devices with default names and passwords not changed via the web interface. These credentials cannot be feasibly changed without rebuilding the hardware, so manufacturers must take responsibility for their devices’ security in the future.

Going Forward

Recent IoT-based attacks have highlighted the security issues of producing cheap and insecure devices. Consumers are typically driven by low costs rather than security standards, especially when the repercussions of insecure IoT devices don’t directly affect them, as in the Dyn DDoS attack. Manufacturers are also reluctant to make changes that make their products less convenient. Government regulation of IoT devices is one proposed solution to overcome the unique challenges of IoT security, including an agency to enforce basic security and allow companies like Dyn to sue IoT companies involved in large-scale DDoS attacks. ISPs have also started cracking down on devices making up botnets, as insecure devices hog bandwidth and slow performance. Addressing IoT security issues will require participation from all these forces.

Oct 16, 2017