The FBI is re-iterating the growing concern of cyber criminals targeting unsecure Internet of Things (IoT) devices. The number of IoT devices in use is expected to increase from 5 billion in 2016 to an estimated 20 to 50 billion by 2020, according to the FBI.
Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks.
As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit. In 2016 and 2017, cyber actors have demonstrated the ease in which IoT device vulnerabilities can be compromised and leveraged.
Deficient security capabilities, difficulties in patching vulnerabilities, and a lack of consumer security awareness provide cyber actors with opportunities to exploit these devices.
In September 2016, cyber actors using the Mirai botnet infected IoT devices—including routers, cameras, and digital video recorders—for the purpose of conducting DDoS attacks. The actors exploited openly accessible devices via the Internet with common default usernames and passwords.
In August 2017, a cyber actor released a list of over 33,000 usernames and passwords for IoT devices, including cameras, DVRs, and routers. While the majority of these devices were located in Asia and China, many of the devices were also found in the United States.
Unsecured or poorly secured devices provide opportunities for cyber criminals to intrude on private networks and gain access to other devices and information attached to these networks. Cyber criminals often take advantage of default usernames and passwords to merge IoT devices with others into a large botnet. These botnets can facilitate DDoS attacks against popular Web sites or network resources.
The following recommendations can be implemented to help secure IoT devices from cyberattacks.
- Change default usernames and passwords.
- Isolate IoT devices on their own protected networks.
- Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.
- Review and implement device manufacturer security recommendations, if available.
- Ensure all IoT devices are up to date and security patches are incorporated when available.
- Use current cyber security best practices when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
- Invest in a secure router with robust security and authentication.