Tens of millions of IoT devices are believed to have been hacked and conscripted into the zombie botnet army that disrupted service at Twitter and other popular web sites.
While millions of zombie devices are impressive, most people want an answer to a far more basic question:
And their second question as a non-geek who is not willing to technically delve into the inner workings and traffic flows of their home (or business) network is just as essential:
Not all IoT devices are created equal or endowed by their manufacturer with the same hackable weaknesses. Some are far more insecure than others. That’s bad if you have these products – they can be hacked within minutes of going online by the Mirai botnet. But, it is also good news because if you don’t have these specific products, you are less likely to be an involuntary participant in a zombie army.
The road to IoT redemption starts with five simple steps
They determine whether you are likely to be in the good or bad news column.
- Identify your devices – The first step is to identify your IoT device portfolio by listing the product type and the manufacturer. With the portfolio of IoT devices spreading faster than some botnets, this might not be so simple. IoT devices include digital cameras, routers, video recorders, and more.
- Peel off the white label (if you can) – Several of the manufacturers fingered in the recent attacks primarily sell their goods as white-label components which are then incorporated into other devices or bundles of equipment installed by a third-party reseller. Finding them is much more complicated than uncovering the dangerous Takata airbags from certain Japanese cars. High up on the suspect list are the electronic boards from the Chinese XiongMai Technologies used in DVR and IP cameras. Judging from the product recall they have just kicked off – with a contrite message for the open market and a more belligerent statement threatening legal action against others – this firm has some security issues to work through.
- Look at the target list – Security journalist Brian Krebs and other researchers have made a list pairing IoT devices and their default passwords that are part of the Miria botnet code. This list of 68 usernames and passwords is just the start. As they point out, most of these passwords were generic and could also be used across product lineups from a single manufacturer. If your device is on this list – beware.
- Be ready to trash your devices – Some IoT devices are inherently insecure, regardless of whatever the owner or network administrator has set up. For example, XiongMai devices produced prior to May 2015 came with the password of xc3511 hardcoded into them. Whoops. Expect this list of the inherently insecure devices to grow.
- Change the default settings – Just because your devices are not on the target list, there is no time to relax. Have you changed the factory default password settings? Please do this now.
Of course, there are more technical ways to determine whether devices have been seduced by the Dark Side. But why go there? The base premise of the IoT is that connected devices should make life easier for everyone – not just the IT professionals. And in parallel to that, keeping them secure should also be attainable for the average consumer.