The Internet of things (IoT) explosion has proven controversial due to the insufficient security measures in many of these internet-connected devices. And a new report from cyber security provider F-Secure finds that threats and the number of attacks continue to increase, but still rely on well-known security weaknesses, such as unpatched software and weak passwords.
The report, using data collected and analyzed by F-Secure Labs, highlights that threats targeting internet-connected devices are beginning to multiply more rapidly than in the past. The number of IoT threats observed by F-Secure Labs doubled in 2018, growing from 19 to 38 in the space of a single year. But many of these threats still use predictable, known techniques to compromise devices. Threats targeting weak/default credentials, unpatched vulnerabilities, or both, made up 87% of observed threats.
F-Secure Operator Consultant Tom Gaffney says that larger device vendors are paying more attention to security than in the past, but there’s a lot of devices from many different manufacturers that don’t offer consumers much in the way of security or privacy.
“The big guys like Google and Amazon have made strides in their smart home products with the help of massive backing and ethical hackers like our own Mark Barnes, who executed the first proof of concept for a hack of an Echo in 2017,” said Gaffney. “But for years manufacturers have been releasing products without giving much thought to security, so there’s a lot of ‘smart’ devices out there vulnerable to relatively simple attacks.”
IoT threats were rarely encountered before 2014, the report explains. But that changed around the time the source code for Gafgyt – a threat that targeted a variety of IoT devices, including BusyBox devices, closed-circuit television (CCTV) devices and many digital video recorder (DVR) devices – was released.
In October 2016, Mirai, which was developed from Gafgyt’s code, became the first IoT malware to achieve global infamy when its massive botnet was used to launch one of the largest distributed denial-of-service attacks in history.
The full report is available on F-Secure’s blog.