Following the news about the Hackers Test Stolen Emails W/IoT Devices (stories The WSJ, PYMNTS, Krebs on Security), Rod Schultz, IT security experts from Rubicon Labs and STEALTHbits commented below.
Rod Schultz, VP of Product at Rubicon Labs:
“Experts may have known about vulnerabilities in the networking protocols that were exploited for over 10 years, but the world has understood the dangers of a virus for over a century. Connect a device to a network and you must model that device as a biological entity. History has shown that certain biological viruses have catastrophic impact on society, and now that we are connecting billions of devices to a network it’s time everyone understands that the same thing is going to happen to digital things. Technological progress must be coupled with advances in security. Devices require unique credentials and identities that will create a more diverse attack surface and go a long way toward preventing this style of viral attack on our expanding digital world.”
Brad Bussie, CISSP, Director of Product Management at STEALTHbits:
“The main problem facing the Internet of Things stems from the common vulnerability known as the default password. How many devices do consumers purchase that have a default username and password that are never changed? Many internet routers, cable boxes and other devices connected to the internet all have default profiles used for configuration. The intention is for the end users to change the default password or to even create another user account once the device setup is complete, but most devices do not enforce this activity. So what are we left with? Millions of devices with admin and password as the only login information that an attacker needs. Gone are the days where simply being behind a firewall that’s set to deny most incoming traffic means a protected device.
“Hackers have databases with massive username and password combinations, and these databases grow bigger every day and with each data breach. In order to get in front of this wave crashing down on the Internet of Things, device manufacturers need to enforce a username/password change the first time a device is configured, and promote uniqueness for both.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.