June 22, 2021

Volume XI, Number 173

Advertisement

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

Buyer Beware: The Internet of Things Comes Under New Cyber Attack from Multiple Fronts

It is estimated that by the end of 2020, there will be more than 50,000,000,000 (yes, billion) connected devices that are part of the Internet of Things (IoT). This is a five million percent increase in IoT devices over the last 20 years. Most of these devices are designed and manufactured for use in homes and vehicles or are wearable devices. These devices include everything from home security cameras to baby monitors, thermostats, car ignition starters, smart watches and even medical devices, such as pacemakers. There are literally thousands of different types of IoT devices that integrate into almost every aspect of your home and work life.

With this rapid growth of the IoT market comes increased cyber security risks. Recently, cyber-threat actors have exponentially increased their attack matrixes on IoT devices in an attempt to attack disrupt and steal personal data from millions of users who rely on these devices, but who are unaware that many of them have little to no substantive security. In short, there has been a shortage of viable cyber security protections built into most IoT devices for the past twenty years since IoT first came into play. Even today, there is little to no password protection nor a way to patch security flaws, devices are attached to weak Wi-Fi home networks, there is usually no built-in multifactor authentication, and the devices use out-of-date firmware and software.

This lack of security protections for billions of IoT devices, as well as the lack of standards for IoT reporting and handling, recently led Congress to pass the bipartisan IoT Cybersecurity Improvement Act of 2020. Signed into law by President Trump on December 4, 2020, the act directs the National Institute of Standards and Technology (“NIST”) to create minimum cyber security standards for IoT devices owned or controlled by the U.S. government. While it applies to government purchases, this new legislation is expected to galvanize manufacturers in the private sector to adopt these standards.

The act is a big step forward for IoT security; however, the lack of current cyber security standards in IoT devices has recently become more apparent as they have become targets for cyber-threat actors. This has been exemplified by two very recent major cyber attacks against IoT devices that have exposed massive security flaws.

In late October 2020, researchers discovered a new IoT virus, named “Katana,” that has been infecting hundreds of IoT devices daily. According to Avira Protection Lab, this advanced virus, containing still unknown “malware binaries” (i.e., malicious software designed to infect your devices), has the ability to make your device inoperable or deny you access to your own data by encrypting it. Katana does this by using remote code execution and command injection instructions to exploit IoT security vulnerabilities. Cyber-threat actors are now offering Katana on DarkNet websites and, according to Avira, on websites with heavy traffic, such as YouTube, “allowing inexperienced cyber criminals to create their own botnets” in an attempt to spread the virus.

A new and even more devastating cyber threat to IoT devices was also recently exposed. Forescout technologies has just discovered that millions of consumer and enterprise IoT devices have as many as 33 coding flaws in their open source TCP/IP stacks that, if exposed, could results in “remote code execution, denial of service or a complete takeover of a device.” Forescout has named this new set of vulnerabilities “Amnesia:33.”

These recently discovered security flaws have led to a large-scale effort by major vendors and security organizations to inform the public of these new vulnerabilities and, where possible, to implement fixes. According to Norton, here are some basic security protections you can implement now to safeguard your IoT devices:

  • Give your router a unique name
  • Use a strong encryption method for your Wi-Fi
  • Set up a Guest Network for your friends to keep your personal Wi-Fi network private
  • Change default usernames and passwords
  • Use strong, unique passwords for Wi-Fi networks and device accounts
  • Check the settings for your devices
  • Disable features you don’t need
  • Keep your software up to date
  • Audit the IoT devices already in use on your home network
  • Implement multifactor authentication
  • Avoid public Wi-Fi networks
  • Watch out for power outages to prevent your devices from falling into an unsecure state

If you rely on IoT devices, be careful with the data you input into these devices and consider immediately implementing safeguards, including the aforementioned security protections, to enhance security on these devices. Consider contacting the device manufacturers to ensure that you have maximized all possible security features on your devices. IoT is showing no signs of slowing down, and the market will continue to grow exponentially over the coming years. Be vigilant, and be prepared. As the popularity of these devices grows, so will the number and severity of new IoT-based cyber attacks.

© 2021 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 351
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Counsel

Jason G. Weiss is an attorney and award-winning law enforcement and cybersecurity professional who served with distinction for over two decades at the Federal Bureau of Investigation. He is Counsel in Drinker, Biddle and Reath’s Information Governance and E-Discovery group, where his practice focuses on cybersecurity incident preparedness and response, compliance with CCPA and other information governance laws and requirements, as well as data analytics, investigations, and e-discovery.

Prior to joining Drinker Biddle, he was most recently a Supervisory Special...

310-203-4062
Amy Grewal Dunn Litigation Attorney Faegre Drinker Biddle & Reath Indianapolis, IN
Associate

Amy Grewal Dunn resolves disputes and guides clients through the litigation process in state and federal courts and arbitration forums. She represents clients in commercial litigation, product liability litigation, insurance litigation and consumer litigation. She also advises clients on data privacy and cybersecurity issues and assists clients in responding to data breach incidents.

Amy also collaborates with companies in the health care and life sciences industry to navigate legal and compliance challenges and develop promotional and educational materials for prescription drug...

317-237-1057
Advertisement
Advertisement