Imagine hundreds of thousands of connected devices, including ordinary products (such as routers, DVRs, webcams, security cameras, and even smart kitchen gadgets) working in concert to assault a specific and high profile target. Remember that day in late October when weird things happened when you tried to visit some of your favorite websites? This is, in essence, what occurred.
It is called a distributed denial of service (DDoS) attack. It’s when a target is flooded with a deluge of data, temporarily slowing down or shutting down its service. Think of a train door. Three or four people can successfully get in at the same time without incident. If fifteen to twenty try, there is going to be a bit of struggle. If one hundred people try at the same time, the train door will be overwhelmed. A DDoS attack is similar. An attacker, having taken control of a large number of connected devices, can simultaneously point these devices at the intended target, disrupting service and making it far more difficult for legitimate traffic to flow through.
Mirai is a Japanese given name meaning "the future." It’s also the name of a botnet—a network of private computers infected with malicious software and controlled as a group without the owners' knowledge—that is currently wreaking havoc across cyberspace. In October, Mirai was pointed at Dyn, a domain name service provider. This attack disrupted service across many popular websites including PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify. The number of infected devices used in the attack was likely in the six figures. The source code for Mirai has been released online, and it has also been used to attack cybersecurity blog “Krebs on Security,” French internet provider OVH and, most recently, the internet infrastructure of the nation of Liberia.
Mirai has opened a Pandora’s box—one that is connected to a lot more Pandora’s boxes. These devices, a part of the growing Internet of Things (IoT), are almost always connected to the internet and are frequently secured poorly. We are seeing, in stark reality, these IoT devices causing serious problems because of some notable vulnerabilities:
- Manufactured Security Weaknesses: IoT devices are often designed more for ease-of-use and cost than with robust security measures in mind. They frequently come with firmware that doesn’t get updated and login credentials that are easy to obtain or (using dictionary attacks) guess. Passwords are rarely changed or are sometimes hard-coded and cannot be changed by a user. Password and firmware updates can be difficult for users to navigate, which only compounds the problem.
- The Default Password Predicament: Mirai malware begins by attempting to connect to devices where default factory credentials remain (or those with weak credentials) using a quick dictionary attack. If a password has not been changed by the owner or remains weak, and is discovered, this device can be pulled into the botnet. Once a device is compromised, it can continue to be compromised, even after a reboot, until the login credentials are changed.
In the meetings industry it is increasingly common for events to be powered by lots of technology and held in facilities that are littered with Web-based cameras, credit card terminals, wireless routers, computer controlled lights, and HVAC. All of this creates a new source of potential problems for meeting owners!
So, what are some easy security steps you can take?
- Be extremely diligent about considering if a device needs to be connected to the internet. If it is not necessary for the device to be connected, it probably shouldn’t be.
- Ensure that passwords, whenever possible, have been changed on devices from the default factory password.
- Use passwords that are difficult to guess and contain a variety of letters, numbers, and characters.
Connected devices are incredible because they allow us to do things that were once unthinkable. But they do not come without risk. It is important to understand the risks while taking basic steps toward enhancing the security of these devices.