In late 2016 most of the U.S. East Coast was knocked offline. Hundreds of thousands of devices flooded providers with requests, knocking their systems offline. According to computer experts, these attacks were among the largest ever seen, and IoT devices were to blame. Devices such as internet-connected security cameras, printers and routers participated in the attack, without the knowledge of the owners. The devices had all been infected with a virus called Mirai, which can take control of devices and use those devices to pass on the virus and engage in attacks.
The virus’ source code was released by the author in September of 2016 on a hacking forum, enabling its use in countless other attacks. Some high profile attacks included knocking a major German internet service provider offline, as well as knocking the entire country of Liberia offline.
Hackers have been turning their attention to IoT, since IoT devices worldwide now outnumber the world’s population. Additionally, many IoT devices lack security and are easily compromised. The network of infected devices commanded by the original virus author, for example, were mostly infiltrated just by attempting to login with common factory-set passwords. Later generations of the virus attacked known security vulnerabilities, profiting from the fact that many of those IoT devices are not patched (a patch is an update that improves functionality and addresses issues). Patching can be difficult due to the number of devices, and in many cases impossible due to technological limitations.
The security challenges presented by IoT are immense. As the number of devices continues to grow, hackers will look to take advantage. Lawmakers have taken note. California and Oregon have both started passing IoT security laws. California’s SB-327 mandates that device producers must implement stronger security features. Congress has also begun introducing bills.