If you heard about last week’s Mirai-based DDoS attack on Dyn, an internet management company that provides DNS services to many major web entities, you may concerned about what devices you own in the Internet of Things (IoT) that might be vulnerable to such an attack. Such devices include cameras (including security cameras or CCTV video cameras), DVRs, or any any smart home gadget connected to the internet or wifi in your home. This major attack was reported by USA Today, CNBC, Krebs on Security, Wired, The Verge, Security Week, and many other sources. The US Computer Emergency Readiness Team, a US Government department, posted a heightened alert (Alert TA16-288A) and recommends what you can do if your devices are infected and what to do to prevent such an attack.
reports, “After analyzing some of the command and control (C&C) servers, Level3 Communications reported last week that it had spotted nearly half a million infected IoT devices that had been part of multiple Mirai botnets.” Security WeekHeavy has an article explaining, Mirai IoT Botnet: 5 Fast Facts You Need to Know.
We reported a similar attack on the French-based hosting provider OVH with this post, so we can expect other such attacks because many IoT devices are not secure.
However, for Apple users, there is good news since any of their IoT devices which have HomeKit keeps these at the very minimum well protected from such attacks. As Apple Insider puts it, “By contrast, Apple’s HomeKit features built-in end-to-end encryption, protected wireless chip standards, remote access obfuscation and other security measures designed to thwart hacks. Needless to say, it would be relatively difficult to turn a HomeKit MFi device into a DDoS zombie.”
Cloudmark has an excellent article, Circumventing the Dyn DDoS Attack, and Preventing Others Like It, that gives you some steps to take if you are experiencing the results of a DDoS attack and made this insightful comment:
“Long term we have to make sure that IoT devices cannot be hacked by any script kiddie with a list of default passwords. Since industry seems incapable of doing this themselves, we need regulators in the EU and US to set minimum standards for Internet devices, including a unique password for admin access to each device (printed on the device so you can’t lose it), and the ability for the manufacturer to push out cryptographically signed firmware updates to patch vulnerabilities as the are discovered.”
Apple HomeKit has already done this for you! Just look for the following certification when purchasing any IoT device:
For more info read our post on Apple HomeKit.