In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others.
Mirai is highly effective as it targets devices which often run unattended, do not have anti-virus installed, and have no external visual indication that they have been compromised. Mirai works by systematically trying the 62 most common default username/password combinations against the Telnet/SSH port of internet connected devices in an attempt to gain administrative access to the device. Whilst simple, the sheer number of vulnerable devices on the internet means that “botmasters” (the creators and controllers of the collections of compromised computers and IoT devices (each a bot and together a botnet)) have been able to create and sustain botnets containing up to 100,000 devices. Botmasters are then able to sell the use of their botnets online to the highest bidder for use in, for example, Distributed Denial of Service attacks against specific targets (e.g. Dyn). Continue reading
The vast room for improvement in protecting Internet-of-Things (“IoT”) devices has once again been highlighted by the recent proof of concept attack on Samsung smart TVs carried out by Swiss security consulting company, Oneconsult, in March 2017. Using an inexpensive terrestrial digital video broadcasting (“DVB-T“) transmitter, security consultant Rafael Scheel embedded malicious commands into the terrestrial radio signal which was then broadcast to nearby smart TVs in order to gain root access to the devices. The malicious transmission exploited known vulnerabilities to command Scheel’s own webpage (which hosted malicious code) to open in the background. Continue reading