In the rush to connect ever more devices to the worldwide web, security seems to have been forgotten along the way. Laurence Marchini explains why this may be a problem.

Make no mistake: the Internet of Things is big… mind-bogglingly big. There have been a number of predictions, and most seem to agree that the IoT will comprise more than 50 billion devices by 2020, and there is nothing to say that number will not continue to rise.

Now, here’s the worrying part. This growth in the numbers of connected devices clearly implies that “things” ever further down the digital food chain will become connected. And many of these things – be they domestic refrigerators, electric kettles, pop-up toasters or even curling tongs – will not be connected with any regard to security. (After all, who cares if their toaster is hacked? What’s the worst thing that could happen?)

Well, the worst thing that could happen has nothing to do with burnt toast. It is not so much the toaster that is under threat, it is more to do with anything that is connected to the toaster. And bearing in mind we are talking the Internet of Things, the toaster is potentially connected anywhere and everywhere.

Two potential “doomsday scenarios” come to mind.

Take the case of the US manufacturer that was in the process of building a manufacturing plant in China, and thought it would be a good idea to set up webcams so that everyone back home could follow the progress of the project.

According to an executive from the company concerned when interviewed for the 2016 Deloitte report on cyber risk in advanced manufacturing: “They put the live feed on the Internet, but did not realise this rendered it/us as a target. It was hacked. It was brutal.”

While this case illustrates the potential for a connected device to provide a conduit into a company’s systems, it would all have been avoidable if suitable security had been in place to detect and stop the intrusion.

But what if the “dumb” thing could be taken over and used for a different purpose?

Think back to the evening of 9th August 2016 when the Australian Bureau of Statistics’ website was very publicly brought to its knees just when the majority of the country’s population was attempting to complete the national census of population and housing. The cause of the crash was claimed to be a DDoS attack – distributed denial of service – in which the ABS website was bombarded with small amounts of data from a huge number of sources.

Traditionally, these sources have been personal computers infected with malware that enables them to be remotely controlled by the perpetrator of the DDoS attack. With tens of thousands of infected computers (known as a botnet) participating in any given attack (without their owners’ knowledge), the resulting data stream of the attack can reach into the hundreds of gigabits per second – enough to bring down even the most robustly protected sites.

Cue the Internet of Things. And while the things are dumb, they can still be used to wage the war. Worse, because they are so dumb they have little or no security.

The key culprits identified to date are surveillance cameras, baby monitors and digital video recorders, many of which come with security based on default usernames and passwords that is all too simple to exploit. And this weak security has already been exploited by a piece of malware named Mirai, which is reckoned by now to have infected more than half a million such devices.

As the Mirai botnet of IoT devices grows, so the severity of DDoS attacks should grow. However, it does appear that this particular malware is becoming a victim of its own success. The source code for Mirai is freely available on the Internet, and now hackers are competing to recruit devices to their botnets.

But what is the motivation? Why do DDoS attacks happen?

These botnets of infected devices are quite literally “guns for hire”, and can be recruited to take down a competitor’s online presence for a surprisingly small amount of money.

Many attacks, particularly those with a high profile, are carried out simply to show that it can be done. Some are more commercially motivated, either to take out the competition or literally for ransom. Others have been known to be even more nefarious, with the attack serving as a smokescreen to cover other directly targeted hacking activities.

Fortunately, the lessons appear to have been learnt to some extent, and each of the wireless technologies competing for the attention of IoT device developers comes with at least a rudimentary level of inbuilt security.

However, just as the need for data protection in the world of desktop computing gave rise to a whole industry of digital security, which shows no sign of diminishing in size or importance, it is most likely that securing the Internet of Things will prove to be another never-ending task.

Related news & editorials

  1. 16.08.2021
    by      In
    Made a program change you wish you hadn't? Lose the only copy of the device program? Not sure if the program running is the right one?
    Control Logic’s ‘Vault’, powered by MDT AutoSave Change Management software, is a plug-and-play system to help reduce errors and downtime, increase productivity,... Read More
  2. tank
    by      In , In
    A collaborative partnership between Lockheed Martin, Australian manufacturer Omni Tanker and the University of New South Wales (UNSW) will look to develop and commercialise world-first composite tank technologies, thanks to a grant from the Federal Government’s Advanced Manufacturing Growth Centre... Read More
  3. 3D printer
    by      In , In
    Obsolescence is an unavoidable part of any manufacturing environment. However, it’s concerning that nearly 70% of companies admit they do not know when vital equipment requires replacing, or when they do, they scramble to find replacements. Here, Claudia Jarrett, country manager at automation parts... Read More
  4. circuit breaker
    by      In , In
    Distributor Control Logic has announced the availability of the PULS PISA-B electronic protection module.
    The all-new PISA-B generation is one of the most compact protection module solutions on the market, with eight completely separated, individually adjustable channels to ensure reliable... Read More