October Round Up of News That Proves Trust Is the Point
Last month, one of the world's largest distributed-denial-of-service (abbr. DDoS) attacks took place. Websites for Twitter, Spotify, Netflix, Reddit, and even The New York Times were overloaded by traffic from a botnet powered by every-day devices in the consumer market. Dyn, a company that provides Internet infrastructure for the major companies listed above, was attacked directly. This attack prevented most people in the US from accessing those websites, causing yet unknown costs for cleanup, damage control, and lost business.
Last month we discussed possible solutions for this threat in the form of device-level security, including raising consumer awareness to reset default passwords and putting the onus on manufacturers to create randomized and unique device passwords. A recent private study cited by Diginomica found that over 500,000 IoT devices across the globe carry the very same vulnerability the Mirai botnet virus exploited to attack Dyn—and all of them came from a single Chinese manufacturing company that distributes computer components used across a spectrum of industries.
Security experts in Canada and the US have pointed out that these are not new security breaches. In fact, the industry solved and archived these problems over a decade ago. James Lyne, Global Head of Security Research at Sophos, has said this:
“We're in the realm of the security issues we were dealing with for Windows 98 and Windows XP, like plain text credentials … They're easy to find, and they're easy to exploit. We're just repeating the late 90s and early 2000s all over again with those devices.”
That does not mean that all DDoS attacks happened due to one distributor – far from it. This means that the poor standards that enabled botnets to become this powerful in the first place are so entrenched in the manufacturing and distribution process that a similar exploit could come from any number of places. The exploitable devices are produced so close to the margin of cost that designers neglected security features altogether. Breaking this pattern will go a long way toward securing ourselves from botnet-powered attacks in the future.
IoT and Medical Devices – The Threat Becomes Personal
All of this news comes just as we have begun to look at implementing Internet-connected devices en masse in the medical sphere. The timing couldn't be better to start a frank discussion about security because we must re-evaluate our standards. Most connected devices in this industry sustain life directly. There is no room for error.
The FDA's new standards for adopting connected devices were widely welcomed when they were released this past January. However, the incidents prompting those guidelines have been troubling. In 2015, it was found that a specific pump could be accessed remotely, while another brand has been singled out for allowing similar vulnerabilities to occur in a line of pace makers. In the year before that, Homeland Security investigated no fewer than three medical device companies on the grounds of potential cybersecurity breaches. The FDA has made a sound decision in requiring hospitals to report future vulnerabilities they find, but the botnet incidents we have witnessed in October indicate that staff may never realize their devices have been targeted in the first place.
IoT security will count in the medical sector more than most. Like connected vehicles, preventing unwarranted access to a medical device could well be a matter of life and death. Experts have said that the likelihood of compromised security in a medical device seems unlikely, but that is not the point. We do not neglect seatbelts just because we think accidents won't happen to us, and people in construction sites or factories do not forego their hardhats just because the odds of an accident are too slim to perceive. We implement these safety measures because we need to protect ourselves if something does go wrong.
Security is never about playing the odds. Security is about placing trust in technology to help us in our times of need, and we can do that by enforcing higher standards in the devices we use in every industry.