IoT devices have security risks; user must take responsibility.
The Internet of Things (IoT) is a rapidly growing phenomenon, with an estimated 13.14 billion devices connected to the internet in 2022 and a projected 29.42 billion by 2030. IoT devices range from Fitbits to fridges, and while they generally make our lives easier, they can also be used to frustrate and confuse us. The first IoT device was created in the early 1980s by a computer science professor at Carnegie Mellon, who wrote a program to report the contents and temperature of a vending machine.
Unfortunately, as the number of IoT devices has increased, so has the number of cybercriminals using them as an attack vector. This is known as Shadow IoT, and in one study, 80% of IT leaders found IoT devices on their networks they didn’t know about. This is largely due to manufacturers taking a very loose approach to security, with slow patching and firmware updates, and devices often coming with standard administrator logins that don’t require you to ever change the password.
The Mirai malware is one example of how IoT devices can be used for malicious purposes. It scanned the internet for IoT devices that run on the ARC processor, and then tried a brute-force attack with a database of common factory default credentials. Once it was in, the device continued to function normally, but was subject to control from a remote targeting server.
In 2021, users of Western Digital’s My Book Live suddenly found their storage partitions wiped, which in some cases erased years of data. This was due to an exploit in the REST API that allowed unauthenticated remote command execution. Similarly, security cameras in several Tesla warehouses were accessed by bad actors, who found the administrator credentials publicly online.
Given the broad scope of these breaches, it is important for end users to take responsibility for the security of their IoT devices. While legislation is being implemented to protect against such data breaches, it may come too late to prevent the next botnet or API exploit. By taking proactive steps to secure their devices and regularly updating their firmware, users can help to protect themselves against the malicious use of IoT devices.