29 October 2016
Last Friday, a large botnet, which was powered by the Mirai malware, caused a significant outage of Internet in the United States. This headline in MOTHERBOARD sums it up: ‘Blame the Internet of Things for Destroying the Internet Today’.
IoT devices are inherently insecure.
- IoT devices are, for instance, very often secured by default passwords, which need not be necessarily changed during startup. And for ease of startup WLAN is powered on by default.
- A software life-cycle concept, e.g. patching of critical vulnerabilities, is in general not provided. With this, the devices become vulnerable to the exploitation of new critical software bugs during operating time.
A single compromised IoT device creates no significant impact on the internet. But if attackers exploit the vulnerabilities of millions of devices and join them to a botnet, it is very likely that this will have a major impact even on well secured critical infrastructures.
We need to save the Internet from the IoT. Strict statutory guidelines are required to prevent the collapse of critical infrastructures. Some easy to implement technical rules are for example:
- WLAN is by default off.
- WLAN can only be activated through an out-of-bound connection.
- WLAN is activated only after the default password has been changed.
A security label for IoT devices is required to support consumers. The European Commission already established the basis for a security label in the ‘Cybersecurity Strategy of the European Union’, published February 6, 2013:
‘Develop industry-led standards for companies’ performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market.’
Devices which do not comply with the basic requirements should be labeled accordingly. In addition, the vendors of such devices are obliged to take out a cyber insurance to mitigate the impact posed by insecure devices.
In ‘We Need to Save the Internet from the Internet of Things’ published on October 6, 2016 in MOTHERBOARD, Bruce Schneier states:
The IoT will remain insecure unless government steps in and fixes the problem.
Have a good weekend.