Infected Vending Machines And Light Bulbs DDoS A University — from forbes.com by Lee Mathews; with a shout out to eduwire for this resource
IoT devices have become a favorite weapon of cybercriminals. Their generally substandard security — and the sheer numbers of connected devices — make them an enticing target. We’ve seen what a massive IoT botnet is capable of doing, but even a relatively small one can cause a significant amount of trouble.
A few thousand infected IoT devices can cut a university off from the Internet, according to an incident that the Verizon RISK (Research, Investigations, Solutions and Knowledge) team was asked to assist with. All the attacker had to do was re-program the devices so they would periodically try to connect to seafood-related websites.
How can that simple act grind Internet access to a halt across an entire university network? By training around 5,000 devices to send DNS queries simultaneously…
Hackers Use New Tactic at Austrian Hotel: Locking the Doors — from nytimes.com by Dan Bilefskyjan
The ransom demand arrived one recent morning by email, after about a dozen guests were locked out of their rooms at the lakeside Alpine hotel in Austria.
The electronic key system at the picturesque Romantik Seehotel Jaegerwirt had been infiltrated, and the hotel was locked out of its own computer system, leaving guests stranded in the lobby, causing confusion and panic.
“Good morning?” the email began, according to the hotel’s managing director, Christoph Brandstaetter. It went on to demand a ransom of two Bitcoins, or about $1,800, and warned that the cost would double if the hotel did not comply with the demand by the end of the day, Jan. 22.
Mr. Brandstaetter said the email included details of a “Bitcoin wallet” — the account in which to deposit the money — and ended with the words, “Have a nice day!”
“Ransomware is becoming a pandemic,” said Tony Neate, a former British police officer who investigated cybercrime for 15 years. “With the internet, anything can be switched on and off, from computers to cameras to baby monitors.”
To guard against future attacks, however, he said the Romantik Seehotel Jaegerwirt was considering replacing its electronic keys with old-fashioned door locks and real keys of the type used when his great-grandfather founded the hotel. “The securest way not to get hacked,” he said, “is to be offline and to use keys.”
Regulation of the Internet of Things — from schneier.com by Bruce Schneier
Excerpt (emphasis DSC):
Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the “Internet of Things” and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when.
The technical reason these devices are insecure is complicated, but there is a market failure at work. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. These devices will affect every aspect of our lives, because they’re things like cars, home appliances, thermostats, light bulbs, fitness trackers, medical devices, smart streetlights and sidewalk squares. Many of these devices are low-cost, designed and built offshore, then rebranded and resold. The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smartphone manufacturers, simply because the market won’t stand for the additional costs that would require. These devices don’t get security updates like our more expensive computers, and many don’t even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades.
An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution.
We have to do something about these security-related issues — now! If not, you can kiss the Internet of Things goodbye — or at least I sure hope so. Don’t get me wrong. I’d like to the the Internet of Things come to fruition in many areas. However, if governments and law enforcement agencies aren’t going to get involved to fix the problems, I don’t want to see the Internet of Things take off. The consequences of not getting this right are too huge — with costly ramifications. As Bruce mentions in his article, it will likely take government regulation before this type of issue goes away.
Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner.
Addendum on 2/15/17:
I was glad to learn of the following news today:
- NXP Unveils Secure Platform Solution for the IoT — from finance.yahoo.com
SAN FRANCISCO, Feb. 13, 2017 (GLOBE NEWSWIRE) — RSA Conference 2017 – Electronic security and trust are key concerns in the digital era, which are magnified as everything becomes connected in the Internet of Things (IoT). NXP Semiconductors N.V. (NXPI) today disclosed details of a secure platform for building trusted connected products. The QorIQ Layerscape Secure Platform, built on the NXP trust architecture technology, enables developers of IoT equipment to easily build secure and trusted systems. The platform provides a complete set of hardware, software and process capabilities to embed security and trust into every aspect of a product’s life cycle.Recent security breaches show that even mundane devices like web-cameras or set-top boxes can be used to both attack the Internet infrastructure and/or spy on their owners. IoT solutions cannot be secured against such misuse unless they are built on technology that addresses all aspects of a secure and trusted product lifecycle. In offering the Layerscape Secure Platform, NXP leverages decades of experience supplying secure embedded systems for military, aerospace, and industrial markets.