Most current IOT gadgets are from outfits that are new to internet connectivity and security and blindly use old opensource/freeware code without vetting or patching to fix known vulnerabilities. These vulnerabilities make the gadgets ripe for infiltration by botnet malware operators. Like these:
https://www.wired.com/story/reaper-i...lion-networks/
Quote:
...researchers at the Chinese security firm Qihoo 360 and the Israeli firm Check Point detailed the new IoT botnet, which builds on portions of Mirai’s code, but with a key difference: Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further. And while Reaper hasn’t been used for the kind of distributed denial of service attacks that Mirai and its successors have launched, that improved arsenal of features could potentially allow it to become even larger—and more dangerous—than Mirai ever was.
“The main differentiator here is that while Mirai was only exploiting devices with default credentials, this new botnet is exploiting numerous vulnerabilities in different IoT devices. The potential here is even bigger than what Mirai had,” says Maya Horowitz, the manager of Check Point’s research team. “With this version it’s much easier to recruit into this army of devices.”
The Reaper malware has pulled together a grab-bag of IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. While many of those devices have patches available, most consumers aren’t in the habit of patching their home network router, not to mention their surveillance camera systems.
|
We're in the early stages of an IOT goldrush and things will only get worse before they get better. Not all IOT gadgets are quick and dirty rush jobs but all software has bugs (even firewalls) and even the highest quality software will be penetrated. The question is how the vendor will respond and how the consumers will manage these devices. Managing *will* be required. At least in the near term and possibly into the longer term.
The "safest" approach is to run multiple networks. Keep the IOT network separate from the "mission critical" side so that when the IOT network is penetrated it won't expose your data. Remember that not all network devices *need* internet access. Home servers with your ebooks, ripped CDs and DVDs (if any) can be connected to a strictly local network that doesn't go outside the house. Ditto for security networks; consider the actual need for remote monitoring. Also consider using a different device for home banking, shopping, etc, from the daily net surfing device.
The odds of getting burned are still low but it is best to give security some thought from the beginning. There is real value in connected gadgets and resistance is futile. Eventually you will own one or more, if you don't already.
The issues are real.
It's not paranoia if they're really out to get you.
Be careful, folks.