It is estimated that by the end of 2020, there will be more than 50,000,000,000 (yes, billion) connected devices that are part of the Internet of Things (IoT). This is a five million percent increase in IoT devices over the last 20 years. Most of these devices are designed and manufactured for use in homes and vehicles or are wearable devices. These devices include everything from home security cameras to baby monitors, thermostats, car ignition starters, smart watches and even medical devices, such as pacemakers. There are literally thousands of different types of IoT devices that integrate into almost every aspect of your home and work life.
With this rapid growth of the IoT market comes increased cyber security risks. Recently, cyber-threat actors have exponentially increased their attack matrixes on IoT devices in an attempt to attack disrupt and steal personal data from millions of users who rely on these devices, but who are unaware that many of them have little to no substantive security. In short, there has been a shortage of viable cyber security protections built into most IoT devices for the past twenty years since IoT first came into play. Even today, there is little to no password protection nor a way to patch security flaws, devices are attached to weak Wi-Fi home networks, there is usually no built-in multifactor authentication, and the devices use out-of-date firmware and software.
This lack of security protections for billions of IoT devices, as well as the lack of standards for IoT reporting and handling, recently led Congress to pass the bipartisan IoT Cybersecurity Improvement Act of 2020. Signed into law by President Trump on December 4, 2020, the act directs the National Institute of Standards and Technology (“NIST”) to create minimum cyber security standards for IoT devices owned or controlled by the U.S. government. While it applies to government purchases, this new legislation is expected to galvanize manufacturers in the private sector to adopt these standards.
The act is a big step forward for IoT security; however, the lack of current cyber security standards in IoT devices has recently become more apparent as they have become targets for cyber-threat actors. This has been exemplified by two very recent major cyber attacks against IoT devices that have exposed massive security flaws.
In late October 2020, researchers discovered a new IoT virus, named “Katana,” that has been infecting hundreds of IoT devices daily. According to Avira Protection Lab, this advanced virus, containing still unknown “malware binaries” (i.e., malicious software designed to infect your devices), has the ability to make your device inoperable or deny you access to your own data by encrypting it. Katana does this by using remote code execution and command injection instructions to exploit IoT security vulnerabilities. Cyber-threat actors are now offering Katana on DarkNet websites and, according to Avira, on websites with heavy traffic, such as YouTube, “allowing inexperienced cyber criminals to create their own botnets” in an attempt to spread the virus.
A new and even more devastating cyber threat to IoT devices was also recently exposed. Forescout technologies has just discovered that millions of consumer and enterprise IoT devices have as many as 33 coding flaws in their open source TCP/IP stacks that, if exposed, could results in “remote code execution, denial of service or a complete takeover of a device.” Forescout has named this new set of vulnerabilities “Amnesia:33.”
These recently discovered security flaws have led to a large-scale effort by major vendors and security organizations to inform the public of these new vulnerabilities and, where possible, to implement fixes. According to Norton, here are some basic security protections you can implement now to safeguard your IoT devices:
- Give your router a unique name
- Use a strong encryption method for your Wi-Fi
- Set up a Guest Network for your friends to keep your personal Wi-Fi network private
- Change default usernames and passwords
- Use strong, unique passwords for Wi-Fi networks and device accounts
- Check the settings for your devices
- Disable features you don’t need
- Keep your software up to date
- Audit the IoT devices already in use on your home network
- Implement multifactor authentication
- Avoid public Wi-Fi networks
- Watch out for power outages to prevent your devices from falling into an unsecure state
If you rely on IoT devices, be careful with the data you input into these devices and consider immediately implementing safeguards, including the aforementioned security protections, to enhance security on these devices. Consider contacting the device manufacturers to ensure that you have maximized all possible security features on your devices. IoT is showing no signs of slowing down, and the market will continue to grow exponentially over the coming years. Be vigilant, and be prepared. As the popularity of these devices grows, so will the number and severity of new IoT-based cyber attacks.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.