The recent cyber-attack in the United States via the Internet of Things has re-focused attention on the potential threat for New Zealand.
The source of the angst was default usernames and passwords, and a piece of malware called Mirai that scans the internet for devices still with factory default or static usernames and passwords.
Mirai took control of those devices, turning them into bots in a united force to overload networks and servers with multiple requests resulting in slow speeds or even shutdowns.
The impact was significant with the distributed denial of service (DDoS) attack against Dyn, a managed DNS provider, crippling sites including Twitter, Netflix, Spotify, Reddit and many others.
According to local cloud IT services company, Dynamo6, the event has highlighted the potential for the same to happen in New Zealand.
“While there are no NZ statistics on how many people don’t change default passwords and usernames, the figures are likely to be similar to overseas, which opens us up to attack. If this happens, there’s potential for damage to our reputation as an easy and open place for business,” says Igor Matich, managing director, Dynamo6.
“But the problem doesn’t only lie with consumers but also with manufacturers and vendors of IoT devices. Better practices need to be adopted to make sure devices are cloud managed and use cloud identities for configuration,” he says.
An example is the Google OnHub router that uses a Google account to manage the device along with a dedicated mobile app. In this way a trusted account is used and also linked to other key identities rather than some other user account setup and stored on the device itself.
“Anyone can produce an IoT device and this is worrying when there aren’t proper standards and practices,” Matich says.
To the unsuspecting consumer these IoT devices may seem like a great idea for a smart home or office but without the necessary infrastructure they can leave the door open to major security issues, similar to what happened across the US,” he explains.
Matich says IoT devices should never remain on the Internet without ongoing security updates and management. This should happen as a matter of course however, with the eagerness of companies to capitalise on the IoT trend the importance of this can be forgotten.
“The best piece of advice is to only buy from a trusted vendor and always change the default username and password, and update them regularly. There are many corners being cut in the rush but this risks a major security breach that would harm New Zealand’s international reputation,” he explains.