Symantec recently released its report on IoT device attacks, IT security experts from profit prpl Foundation and NSFOCUS commented below.
Cesare Garlati, Chief Security Strategist at prpl Foundation:
“The nature of many IoT devices is that they are always on and always connected, making them prime targets for attackers to exploit. If we look at the humble light bulb, while it might not seem like a big deal if a single light bulb in a home is breached, what if a hacker could control every one of those light bulbs within a set area to create a power surge that cause a massive black out?
For this reason, the prpl Foundation advocates for standards in for manufacturers and developers of IoT – in even the smallest of devices. Three basic principles to these standards are using open source – rather than proprietary software, forging a root of trust at the hardware level in embedded systems and exercising security by separation using hardware virtualisation, so all of your “security eggs” are not in one basket – making it more difficult for criminals to get control.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
The primary reason why IoT devices are being hacked and most often added to existing botnets is primarily because there are accessible from the Internet directly. Often, people who deploy an IoT device, for example a CCTV camera, thermostat, security system, baby monitor, personal electronic assistant, etc., are simple not deploying them behind firewalls. Instead, they are deploying them in a fashion whereby the devices are completely accessible from anywhere on the Internet. Also, many people are not changing default passwords on these devices. Vendors who develop these technologies try to make them as easy as possible to install to help reduce customer support calls; which can be very costly for the vendor. If people are having difficulty deploying an IoT device, what’s the natural response? Call support! Therefore, many of the IoT devices are plug-and-play and very easy to install. Easy to install doesn’t mean they’re actually secure.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.