Security jitters are one of the main factors slowing down the adoption of smart factory technology — and last week’s DDOS attack, which took down Twitter and Netflix for a while, shows that these concerns aren’t paranoid.
The hackers who orchestrated last week’s attack hacked into millions of devices, from Playstations to Nest thermostats, which still had their default passwords.
Default passwords? For example, one Chinese manufacturer of security cameras sends their products out with these login credentials:
- username: root
- password: xc3511
Anyone with that information could easily get into every single one of those connected gadgets.
Most of these devices are connected to the internet at all times, but not doing much. This makes them readily available for recruitment by hackers who basically just look around for devices using the default password. The vast army of IoT devices was used to swamp servers with fake traffic on servers that host popular websites, and the damage was done.
The owners of these cameras and routers probably still don’t know what their innocent devices got up to that day.
There’s no evidence that this was an example of cyberterrorism or Russian hackers. In fact, most experts feel that the owners of the devices are as much at fault as the hackers. As in so many cyber security issues, the human beings who fail to take basic security measures are at the center of the problem.
Virginia Senator Mark Warner, a member of the Senate Cybersecurity Caucus, disagrees. He believes that the IoT devices themselves are at fault. You’ve got everything from toys to toasters going online and hanging out, you’re going to have security breaches, he feels. And he thinks the manufacturers are at fault.
“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote in a letter to several government agencies, including the Federal Trade Commission and Homeland Security. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”
The government might be getting involved because Congress’s website was down for several days during a similar attack this summer. That makes it feel personal.
Techcrunch reports that 88% of IoT owners believe that their devices are vulnerable to attack. Apparently, they’re not worried enough to take commonsense measures with their passwords. Or, as Senator Warner suggests, they are unable to make informed decisions about their devices, both before and after buying them.
The Industrial Internet of Things shouldn’t be worrying about casual security lapses like these, because there shouldn’t be casual security lapses. As we reported recently, though, most companies don’t have security plans in place, any more than most households do.
PubKCyber points out that nine different congressional committees held 20 different hearings on the subject of cybersecurity his year without actually passing a single bill, agreeing with Warner that industry needs to help educate Congress on these issues so they can make better decisions.