Recent DDoS attacks like the one on Dyn, an internet infrastructure company, have shown the vulnerability of unsecured Internet-of-Things devices. Webcams were a route to transmitting the Mirai malware that affected many large sites including Twitter and Reddit.
Hangzhou Xiongmai, a Chinese manufacturer of webcams believed to be a major target in the attack, recalled many of the devices and issued a security patch for newer models, but default passwords allowed hackers an easy pass-through.
A decade ago, there weren’t really any major opportunities for hackers to scan the internet for devices with easy-to-guess passwords. Before this latest age of connected technology, conducting such a mass-scale attack would have needed a fleet of personal computers under a hacker’s control. Now, it’s as easy as searching online to essentially build a personal hacked fleet of unsuspecting consumers’ computers, accessories, and anything else connected to the internet through an intercepted channel.
Connected cars are essentially no different from other hackable IoT devices, except there are many more channels to exploit, including the OBD2 port that controls engine diagnostics and has been in every street legal car since 1996. According to Arxan Technologies, there are certain actions security professionals can take for protecting automotive IoT apps, like preventing cryptographic key exposure and rejecting copied versions of dealer software.
“There are a lot of IoT attacks already taking place which have been carried out through the IoT gateways and networks, but nothing has been publicized because companies don’t know,” says Arxan’s Mandeep Khera.
Across all industries, hard coding is still a major problem because it makes it impossible for consumers and businesses to change the default passwords on key systems, like a corporation’s internal communications software, exposing multiple devices and parties to an attack.