Cyberattacks in the Age of the Internet of Things (IoT)

October is the Cybersecurity Month and my initial idea in this post was to talk about the lack of cybersecurity professionals as there is a strong demand for these professional to protect the IT and OT infrastructures and different initiatives are taking place to encourage young people´s career towards cyber security. Last Friday, the cyberattack to DYN has changed my initial idea.

Last Friday, a massive DDoS cyberattack against the Internet Provider DYN took place, which affected companies like Twitter, Spotify, Amazon, Netflix, the New York Times and many other companies. A DDoS attack occurs when millions of devices try to access simultaneously a certain web and this one cannot support the high volume of traffics and collapse. This attack came simultaneously from millions of IP addresses belonging to different devices that seem to have been previously infected by the Mirai malware. This malware, released some weeks ago, searches for devices protected by default usernames and passwords and, when infected, the devices, like routers, printers smart TVs or other type of connected devices become part of a silent army waiting to be activated like in this case. The frightened aspect is that one of our home devices that is connected to the Internet could have been part of this attack without our knowledge. You may be wondering how this is posible.

We are in the Age of the Internet of Things (IoT) and this means we have things that are connected to the Internet and that have communication capabilities to exchange data with other things and/or other systems. In some cases they can also store data, process them, take decisions and even take some actions. We can think about things like TV, watches, printers and a long list of things that previously didn´t have communication capabilities and now are connected to the Internet with that “smart” component. According to Gartner forecasts there will be 20.8 billion connected things by 2020. So many things connected to the Internet offer a lot of possibilities of new business models but also face cybersecurity threats, like the one we´ve just talked about, that consumers and manufacturers must take into account.

What can we do as consumers to protect our devices? Well, we can take some cyber-hygiene actions like keeping updated our devices, changing username and password that come by default. But these simple actions, that we can easily do in a computer, are not so easy in devices of the IoT, as sometimes they don´t have an interface with the user that allows to take those actions. So some actions must be taken in this point to create trust in the IoT, but how can we create this trust? Privacy and security assurance, a trusted identification and authentication of users and devices, the accomplishment of data protection rules, anonymization of metadata and a secure infrastructure are key aspects but perhaps not enough to create that confidence. This is why European organizations are talking about the potential establishment of a trust label but there is still a lot of discussion about this point.

Finally, cyberattacks like last Friday´s one must make us think that we cannot wait and see what happens in the IoT in terms of cybersecurity. We must think about security in the IoT from the beginning, so safety & security by design must not be forgotten.

Share this post