Let’s start with accepting that the IoTs are everywhere and in everything. This isn’t a sci-fi novel of what’s to come, it is our own reality, here and now, August 1, 2018.
Do you have a smart TV? A smart watch? Maybe a baby monitor? Or how about those fancy smart home cameras and thermometers? Well then… you have an IoT device. They are wireless devices that connect to a network and are capable of transmitting data. They can also communicate and interact over the internet and can be remotely controlled and monitored.
Remember how burdensome it was to have to manually adjust the settings on the thermostat? Well that’s no longer an issue. There’s an app for that.
Even devices such as the coffee maker in your kitchen can now be an IoT device and have the ability to communicate and interact (transmit data). Although the idea of being able to make coffee before you even get out of bed seems terrific, it also poses a threat.
More connection may allow for ease of access and ability to streamline processes; it also creates a potential vulnerability we still fully don’t appreciate. Gartner Inc., the world's leading research and advisory company, estimates that by 2020 there will be over 20.4 billion connected devices. These connected devices access vulnerable information shared on the networks they are connected to. With mass-production of these devices, and associated cost-saving measures used by the manufacturers, the security features leave a lot to be desired.
So what’s the concern with botnets?
A botnet is often controlled by a cyber-criminal who infiltrates an IoT device. These botnets creep the internet for vulnerable targets. Once they infect a device, they lay dormant or remain under the radar until they receive instructions by the cyber-criminal to perform certain actions.
Botnets can be used for a variety of attacks, most commonly used for distributed denial of service (DDoS) attacks, but can also be used to send large volumes of spam, steal credentials and sensitive information, spy on people or organizations and use the affected machines to mine cryptocurrencies.
Like a creepy-crawly lurking in the dark, botnets remain undetected until they have affected enough devices to be able to carry out their goal.
They often gain access to devices by targeting unpatched or outdated software, or through easily guessable manufacturer passwords such as “admin,” “password,” or “12345.” Out-of-the-box devices often have these types of passwords, and consumers are urged by the manufacturers to change them at set-up. In this day and age, taking a lax approach to securing professional or personal data is, well, just silly.
With continued change and development, shutting down botnets becomes more difficult. And then there is the difficulty associated with trying to use local law enforcement to prosecute extra-jurisdictional cyber criminals (more on that in a future blog).
As IoT devices are becoming more widespread and readily accessible, so is the threat to our data. If a cyber-criminal gains access to an IoT which includes a camera, they may be able to see everything the camera can see: home or not, dressed or not, eating chips, drinking beer and binge watching your series of the week…or not.
Let’s not wait until it’s too late.
Once the data is accessed, the cyber-criminal can hold it for ransom, publish it, sell it on the dark web, or use the data to commit further attacks. This poses a significant threat to businesses as well as consumers.
In 2014 Ebay was the target of a cyber-attack. The cyber criminals had access to Ebay’s network for 229 days, compromising 145 million users, including their addresses, date of birth, and passwords. Do you use the same password for EVERYTHING? Well, maybe it’s time to change that.
Even companies like Equifax, one of the largest credit bureaus in the US, was exploited in 2017, risking the data of 143 million US consumers, including their social security numbers. The threat to smaller, less security-savvy businesses is tangible.
Botnets are here, and likely here to stay.
Cyber smarts and resilience are critical to our ability to protect our personal and business data. Businesses, consumers and law enforcement agencies must all be proactive in our approach to cybersecurity and implement well thought out practices to limit our cyber risk.
Stay tuned for the SF August blog: The Dawning of the Age of Nanobots
