Portnox CEO Denny LeCompte offers an interesting read on the Internet of Things, security, and even cold drinks.
the The Internet of things It’s loosely defined as devices other than a computer that can connect to the internet, and these days, that includes everything from a Fitbit to a refrigerator.
Like the Internet itself, IoT devices are great tools that make us more efficient and healthy, and while they generally make our lives easier, they also open up possibilities for us to be frustrated, annoyed, and overwhelmed.
When you think of medical IoT applications, for example — doctors monitoring their patient’s vital signs in real time or adjusting medications on the go — it’s only natural to wonder about the marvels of our modern infrastructure. Then you go to fill up your car and suffer through blatant advertising on the small, scratched screen of the gas pump, and between fantasies of taking a sledgehammer to it, wondering why humanity ever developed this scourge of modern life.
It all started with a cold drink
Long before the Internet became the cause and solution to all of life’s problems, a computer science professor at Carnegie Mellon University in the early 1980s discovered a vending machine that could connect to the ARPANET. Tired of hauling the machine to the machine from his desk only to discover it was empty—or, worse, filled with only warm soda—he and two students wrote a program that would report the contents of the machine and whether the cans had been in there long enough to become cold from refrigeration. the device. Thus, the first Internet of Things device was born.
From this inauspicious beginning, a phenomenon was also born. According to Statista, as of 2022, there has been an estimate 13.14 billion IoT devices are connected to the Internetwith projections of a total of 29.42 billion by 2030.
We see: Recruitment group: IoT developer (TechRepublic Premium)
lurking in the shadows
Along with the advent of IoT devices, there has unfortunately been a rise in cybercriminals using them as an attack vector. The very nature of the devices makes them an attractive target: they are designed to be extremely easy to install, meaning a user can just point them into a network and IT is none the wiser.
This is so popular that there is a term for it: Shadow IoT. In one study by Infoblox, 80% of IT leaders Finding IoT devices on their networks that they don’t know about.
It doesn’t help that manufacturers often take a very loose approach to security. Patches and firmware updates are released slowly, if they appear at all. Most IoT devices do not have a mechanism to check for and install regular updates. Even worse, many devices come with standard administrator logins that never require you to change your password.
Given all that, it’s no surprise that these devices have been at the center of numerous data breaches.
Brute force calls, botnets, and API’s
IoT devices are a particularly attractive target for creating a botnet for a distributed denial-of-service attack.
The Mirai malware was created for exactly this purpose in 2016. It scanned the internet for IoT devices running on the ARC processor (1.5 billion devices as of 2014) and then try a brute force attack with a database of common factory default credentials. Once in, the device continued to function normally – thus hiding the vulnerability – but was under control from a remote targeting server. It has notably been used to take down DNS provider DYN, affecting Amazon, Github, HBO, Netflix, Reddit, and more of the Internet’s most popular destinations.
In 2021, many users of Western Digital’s My Book Live Suddenly found their storage partitions were wiped, which in some cases erases years of data. The root cause was an exploit in the REST API that allowed unauthenticated remote command execution. This exploit was reported three years ago, but was ignored by Western Digital because the hardware was no longer supported.
Security cameras at several Tesla warehouses belonging to a security startup called Verkada have also been accessed. I wouldn’t use the word “hack”, because that would give the bad actors too much credit, as it turns out they found those administrator credentials publicly online. This gave them access not only to Tesla, but also to many other well-known companies’ security feeds and full video archives – including Equinox and Cloudflare.
Who watches the guards?
Although these data breaches have caught the attention of regulators and professional organizations, any changes in legislation may come too late to prevent the next bot or API exploit.
Given the widespread scope of these breaches and the appeal of IoT devices as targets, should you run home and unplug every smart device you have? Not necessarily, but the most important tip here is that the onus for security is on you as the end user.
Deny Lecompte is the CEO of the company Portnox.