Cyber hackers in September launched one of largest-ever DDoS attacks, using a network of connected devices. Most of these devices were CCTV cameras, but that’s not really relevant: What is relevant is that they were 1) connected to the Internet and 2) not secured.
Given that research firm Gartner says an average of 5.5 million new devices are being connected every day this year, one might assume this vast network of connected devices — known as the Internet of Things (IoT) — would attract some bad actors seeking to exploit vulnerabilities.
As a recent article in The Atlantic makes clear, that assumption would be startlingly correct.
Wondering whether the vast number of IoT devices might provide at least the security of insignificance and anonymity, writer Andrew McGill decided to find out:
I devised a test. Renting a small server from Amazon, I gussied it up to look like an unsecured web device (a toaster), opening a web port that hackers commonly use to remotely control computers. Instead of allowing real access, though, I set up a false front: Hackers would think they were logging into a server, but I’d really just record their keystrokes and IP addresses.
As McGill notes, this is a common ruse known as a honeypot, an inviting trap for catching hackers.
I switched on the server at 1:12 p.m. Wednesday, fully expecting to wait days—or weeks—to see a hack attempt.
Wrong! The first one came at 1:53 p.m.
In other words, McGill’s fake toaster barely had time to make any fake toast before a hacker (though more likely a hacker’s automated script) came sniffing around. By midnight, the besieged virtual toaster had been the target of more than 300 hacking attempts.
The lessons for enterprises are that:
- No IoT device is too insignificant or “invisible” to be hacked
- Hackers now use perpetual scans for vulnerabilities; they don’t rest, and neither should you
- If your device is unsecured, it will be attacked — and sooner than you think
- Hacked toast is the worst
Is your enterprise securing its IoT devices?