2016 was an exciting year; a year in which hazards related to the Intent of Things (IoT) became trendy small talk in many living rooms around the world. For us, the members of the InfoSec community, it was the year when the security risks of IoT devices evolved from being theoretical to becoming a practical problem to us all. It was the year in which we all realized that the lack of security surrounding IoT is not just a liability on the consumer owning the device, it is a problem for the entire Internet.
We came to the understanding that IoT devices (that will be referred from this point forward as "things") are a problem that can result in a severe headache. This headache can get much worse when one of your "things" is pwned by attackers (doing so by accessing the "thing" with publicly available default user name and password), once "things" are targeting your web site with Distributed Denial of Service (DDoS) attacks, or once "things" abuse your web site authentication page by using stolen credentials.
The Attacking "Things"
This past year, we witnessed how the Internet stuttered when a DNS provider was attacked by "things". We even saw how "things" can be abused by a 12-year-old vulnerability and manipulated to execute massive distributed credential abuse attacks.
2016 left us a bit confused about dealing with security issues facing the Internet of Things. For example, how do you easily fix consumer's "things" that were never meant to be fixed? Whose responsibility is it to fix these "things" connecting to the Internet? Is it the manufactures; the resellers; the consumers? Or is it a regulatory issue to be addressed by governments?
Fighting the "Things"
When it came to fighting against the "things" of the Internet a lot was changed. Until now, the defensive approach was to detect the attack and fight the malicious attacking resource. In the era of attacking "things", using this approach can be tedious and even useless.
Access to millions of vulnerable devices that can allow threat actors to execute highly distributed volumetric attacks, while at the same time slipping under the radar, forces us to re-think our approaches, re-calibrate our tools, and re-adjust our methods and procedures.
The Worst is yet to come
Unfortunately, it will get worse before getting better. In the upcoming year, we will see not only growth in the number of attack campaigns, but also new levels of scale and sophistication. We may also see known attack techniques wearing new hats to attempt to evade security controls detection; doing so by exploiting "things" all around the world.
But we shouldn't quit without a fight. We should think big (data) and learn (using machines); collaborate (like never before); and be pro-active (while taking some risks). We need to make sure we have the upper hand!
And finally, I urge the "things" manufacturers to ease our pain and make sure they build "things" that are secured and can be easily patched as necessary. And if not, please make sure to add headache medicine to each device leaving your factory, it may make a difference down the road.