Several weeks ago, I attended the Cyber Security Summit in Boston for a long and tight agenda on many aspects of cyber security. There were many great sessions, but I wanted to focus on one because it is living with us every day. It’s the IoT, or “Internet of Things.” IoT refers to gadgets that are in our home or businesses, which usually connect to our WIFI. These gizmos make our lives easier and more enjoyable. Thermostats, mysterious boxes we can ask questions of, refrigerators, smartphones and so many more things require internet access. But are they safe to connect? Remember that the vulnerabilities of each device on your network dictates the overall safety of everything on the network. Just like having one Windows XP machine compromises the entire network, many of these “things” have their own operating systems and they all have a default username and password that is freely available on the internet. Do you remember a year ago last month when the internet went down in the northeast? For some of us, it only slowed down. The cause of it was precisely the IoT, millions of them, that at a certain date and time were programmed to send out so many information packets that it shut the internet down for a few hours. This is called a Distributed Denial of Service (DDoS) attack where certain sites are barraged with information to the point that it is overloaded and can’t handle any request. Here’s one of the news stories about it: http://nhpr.org/post/granite-geek-ddos-attack-dyn-and-internet-things#stream/0
This could have been avoided if a few precautions were taken when the device was connected. Speaking in terms of a business network, changing the default password, connecting it to a guest network separate from the company network and changing the default password on it would have probably prevented it. You probably didn’t even know that your WIFI thermostat helped stop the internet that day, but I am sure that many of you that are reading this had exactly that happen and you never knew. They are like dormant Decepticons that share your space and use your internet. Another tip is to make sure that the firmware is updated on these devices to keep them up to date if the manufacturer releases updates for them. Other than just starting a DDoS attack, keep in mind that it is on your network. If compromised and malicious code can be loaded on it, why wouldn’t it search the network for personal information or corporate files such as accounting data? Credit cards? Emails? I have heard some of our clients say “we have nothing to hide” but there is always something you don’t want to fall into the wrong hands.
Another example was given during one of the sessions at the Cyber Security conference and it was that there was a company that had a small conference room that had a video camera and microphone used for videoconferencing. The company was engaged in many board meetings in that room during a time of a merger. It was found later that the microphone (not the camera) was turning on during these meetings, but at no other time and that voice data was being transmitted over the network and to an IP address outside of their network. Before you think that you can find out where it really went, remember that almost every hacking involves an oblivious third party in the middle These are called “Man in the Middle” attacks. I has this conversation with a prospect a couple of weeks ago where they wanted to be secure, but didn’t want to spend too much to be REALLY secure because they are just a small company in the middle of nowhere. But, being vulnerable enough and under the radar, a hacker would steal from a large company by way of the coffee shop in another state or country because they probably did attach an IoT to their network and didn’t change the password on it. When the IP is traced from the affected company, they are knocking on the door of a small company that had no idea they were compromised – but not directly hacked for their own information.
So it’s true about your toaster – it really can rule the world if you don’t pay attention to it.
As always, we are here if you want to understand how to protect your organization or home from being vulnerable.