For an average citizen, an Internet of Things (IoT) device is just that, a device. For hackers the device is a means to unscrupulous ends and a weapon. In the recent past, there have been cases of many Distributed Denial-of-Service (DDoS) attacks, made possible by devices with poor security.
Hackers have the ability to infiltrate even the most innocuous of IoT devices like bulbs and various smart household IoT items. The hackers add the devices to a large botnet, used to topple web services. These attacks led to a recent introduction by the US Senate of the Internet of Things Cybersecurity Improvement Act 2017.
Rise in botnet assaults
Most people have never heard of botnets. They are dangerously real and have the ability to shut down major websites. In 2017, hackers managed to topple the internet, and the botnet threat is not a prediction but is already here with us. When many people rush to use a web service at once, for example trying to buy tickets, the site crashes. Hackers tend to take over IoT devices by introducing malware. The malware allows the hackers to take control of the gadgets or zombies as also called, and use them to overload the targeted site.
A hacked website leads to thousands and even millions of dollars in losses for every minute or hour the site is down. These hackers have disabled parts of the internet in the past. The Mirai botnet in 2016 infiltrated a company known as Dyn. This company operates very many US DNS (Domain Server Services) and millions of US Citizens could not access the web. For such a huge assault, the Mirai botnet had to use very many IoT devices with poor security, in this case, webcams were the weapon of choice. Smart gadgets with low security make up the bulk of the botnets made by hackers. We need Security Best Practices for serious consideration by both designers and the government.
US law on botnets
The US Senate brought bipartisan laws to tackle this issue. The laws demand that designers have to adhere to set security standards in order to offer them for sale to the government. This aggravates the problem of meeting the FCC’s Conducted and radiated emissions levels. The Act highlights the weaknesses in IoT designs and sets out key points for the designers’ consideration. The basic standards of the proposed Act are:
- Devices must have the ability to accept and fix software patches.
- Designers must steer away from merging vulnerable items within their products. Declare to the relevant federal authority if you find a weakness in the design process.
- Your device should not have hard coded passwords
The Act is not very strict and has provides allowances for any gadget that might not meet the said requirements. The risk of botnets infected with malware is a reality and designers must be careful to prevent it.