Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Buyer Beware: The Internet of Things Comes Under New Cyber Attack from Multiple Fronts

Share

It is estimated that by the end of 2020, there will be more than 50,000,000,000 (yes, billion) connected devices that are part of the Internet of Things (IoT). This is a five million percent increase in IoT devices over the last 20 years. Most of these devices are designed and manufactured for use in homes and vehicles or are wearable devices. These devices include everything from home security cameras to baby monitors, thermostats, car ignition starters, smart watches and even medical devices, such as pacemakers. There are literally thousands of different types of IoT devices that integrate into almost every aspect of your home and work life.

With this rapid growth of the IoT market comes increased cyber security risks. Recently, cyber-threat actors have exponentially increased their attack matrixes on IoT devices in an attempt to attack disrupt and steal personal data from millions of users who rely on these devices, but who are unaware that many of them have little to no substantive security. In short, there has been a shortage of viable cyber security protections built into most IoT devices for the past twenty years since IoT first came into play. Even today, there is little to no password protection nor a way to patch security flaws, devices are attached to weak Wi-Fi home networks, there is usually no built-in multifactor authentication, and the devices use out-of-date firmware and software.

This lack of security protections for billions of IoT devices, as well as the lack of standards for IoT reporting and handling, recently led Congress to pass the bipartisan IoT Cybersecurity Improvement Act of 2020. Signed into law by President Trump on December 4, 2020, the act directs the National Institute of Standards and Technology (“NIST”) to create minimum cyber security standards for IoT devices owned or controlled by the U.S. government. While it applies to government purchases, this new legislation is expected to galvanize manufacturers in the private sector to adopt these standards.

The act is a big step forward for IoT security; however, the lack of current cyber security standards in IoT devices has recently become more apparent as they have become targets for cyber-threat actors. This has been exemplified by two very recent major cyber attacks against IoT devices that have exposed massive security flaws.

In late October 2020, researchers discovered a new IoT virus, named “Katana,” that has been infecting hundreds of IoT devices daily. According to Avira Protection Lab, this advanced virus, containing still unknown “malware binaries” (i.e., malicious software designed to infect your devices), has the ability to make your device inoperable or deny you access to your own data by encrypting it. Katana does this by using remote code execution and command injection instructions to exploit IoT security vulnerabilities. Cyber-threat actors are now offering Katana on DarkNet websites and, according to Avira, on websites with heavy traffic, such as YouTube, “allowing inexperienced cyber criminals to create their own botnets” in an attempt to spread the virus.

A new and even more devastating cyber threat to IoT devices was also recently exposed. Forescout technologies has just discovered that millions of consumer and enterprise IoT devices have as many as 33 coding flaws in their open source TCP/IP stacks that, if exposed, could results in “remote code execution, denial of service or a complete takeover of a device.” Forescout has named this new set of vulnerabilities “Amnesia:33.”

These recently discovered security flaws have led to a large-scale effort by major vendors and security organizations to inform the public of these new vulnerabilities and, where possible, to implement fixes. According to Norton, here are some basic security protections you can implement now to safeguard your IoT devices:

  • Give your router a unique name
  • Use a strong encryption method for your Wi-Fi
  • Set up a Guest Network for your friends to keep your personal Wi-Fi network private
  • Change default usernames and passwords
  • Use strong, unique passwords for Wi-Fi networks and device accounts
  • Check the settings for your devices
  • Disable features you don’t need
  • Keep your software up to date
  • Audit the IoT devices already in use on your home network
  • Implement multifactor authentication
  • Avoid public Wi-Fi networks
  • Watch out for power outages to prevent your devices from falling into an unsecure state

If you rely on IoT devices, be careful with the data you input into these devices and consider immediately implementing safeguards, including the aforementioned security protections, to enhance security on these devices. Consider contacting the device manufacturers to ensure that you have maximized all possible security features on your devices. IoT is showing no signs of slowing down, and the market will continue to grow exponentially over the coming years. Be vigilant, and be prepared. As the popularity of these devices grows, so will the number and severity of new IoT-based cyber attacks.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

December 16, 2020
Written by: Jason G. Weiss
Category: Cybersecurity
Tags: cyberattack, IoT

Post navigation

Previous Previous post: Cyber Attackers Threaten COVID-19 Vaccine Distribution Chain
Next Next post: Faegre Drinker on Law and Technology Podcast: Evolving U.S. and International Privacy Laws in 2021 and Beyond

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT