Friday October 21st was more than just a travel day for the World Series winning Chicago Cubs, it was also a day that 10s of millions of IoT devices launched a coordinated attack on DNS service provider Dyn. This week, a survey from ESET and the National Cyber Security Alliance showed that 40% of consumers are “not confident at all” that their IoT devices are safe, secure, and able to protect personal information.
More importantly, 36% of respondents have not taken any measures to prevent this sort of intrusion. Many of these are just as important for the Industrial Internet of Things (IIoT) as for consumers. The home router is the first point of attack, the gate to the castle so to speak. And instead of letting outsiders storm the ramparts, there are ways you can protect your router and IoT devices. Here is our suggested list of defenses:
1) Ensure all default passwords are changed to strong passwords. (Default usernames and passwords for most devices can easily be found on the Internet, making them extremely vulnerable)
2) Update IoT devices with security patches as soon as those patches become available.
3) Disable Universal Plug and Play (UPnP) on routers.
4) Purchase IoT devices from companies with a reputation for providing secure devices.
When possible, device passwords should also be changed from the default or generic state, but that is unfortunately not always an option. One more step that would prevent an attack using the released Mirai botnet code is to disable all remote wide area network (WAN) access to the device. Ports that can be used for that include 22 (SSH), 23 (Telnet), and 80/443 (HTTP/HTTPS). Devices can still provide data upstream to interested devices, but nobody will be able to login to them for nefarious purposes.
This last attack was a major one, but as the number of IoT devices continues to increase, incidents such as this one will become more frequent. This is why following the steps above will at least provide a base amount of security. Does security factor into your embedded design? Better yet, will you allow your customers the access needed to protect themselves?