Securing the Internet of Things – Why it’s important and how to implement

Standard

Olan F. Hodges

Brigham Young University – Idaho

Author Note

Olan F. Hodges, Department of Computer Information Technology, Brigham Young University – Idaho

 

 

Abstract

With the reduction in price and increase of processing power for micro-controllers and silicon based products, industries across the globe are beginning to innovate around these devices to improve their service and products.  With this rapid expansion of portable, cost-effective computing has come a myriad of problems regarding security and privacy.  The pressure to keep costs down, the short amount of time in development, along with the lack of any best practices around their development and lifecycle management has led to the point where these devices are being manipulated, ransomed, and exploited for other malicious purposes.  These purposes can range from ransom of the effected device, acting as a proxy for malicious payloads for the bad actors, to amassing these devices into a botnet army to attack any internet connected computer system in the world.  With proper research, accreditation, training, funding, and legislation, this problem can be solved.  This paper explores the benefits and risks of the Internet of Things (IoT) and how organizations, IT professionals, and governments alike can implement their use in a safe and successful manner.

Keywords:  Internet of Things (IoT), best practice, dark net, cloud computing, botnet, malware, ransomware, Trojan, constant glucose monitor (CGM), distributed denial of service (DDoS), domain name system (DNS), Health Insurance Portability and Accountability (HIPAA), Payment Card Industry (PCI), Command & Control (C2), Enterprise Resource Planning (ERP)

Securing the Internet of Things – Why It’s Important and How to Implement

Computer infrastructure has given mankind the capability to achieve goals beyond our wildest imaginations.  Computing has brought us the capability to successfully navigate space, manufacture items with tolerances down to nanometers, and bring information and education within reach of billions.  Computers work better in a group, otherwise known as a network.  Within this network, computers can share data and resources amongst themselves to provide better capabilities for us to harness.  The Internet of Things (IoT) is the next evolution of this giant network we call the Internet.  Maciej Kranz stated in a recent blog post on Cisco.com that “the energy and momentum that are building today around IoT are reminiscent of the early days of the Internet, when we were just beginning to realize its potential impact on business and society. We felt like we were changing the world.” (Kranz, 2016)

IoT Benefits

What is the big deal of having all of these devices connected to each other?  What benefits can we achieve by expending billions of dollars in development and infrastructure, just so my toothbrush can talk with the internet?  We are just now beginning to learn the possibilities of this connected ecosystem of electronics and what they can do for us.  The cost of components and their size has decreased overtime where even home hobby hackers are buying IoT components and developing new IoT innovations in their own garage.  This opens up a new frontier of electronic devices and the benefits that they can bring to our lives.  NCTA – The Internet & Television Association has brought together an infographic showing the past and projected growth of the size of the internet which should give us a small insight into how much innovation we should expect to come from this industry. [Figure 2]

Data Acquisition

Data acquisition was a main driver at the beginning of the IoT evolution.  Medical systems are being developed and tested that allow users to monitor their conditions and give them specialized alerts based on the status of their vital signs.  A specific instance of this is diabetes monitoring.  The company Insulin Angel has developed a simple sensor that can be attached to insulin medication to track its environmental conditions.  It is necessary to store insulin at a specific temperature to keep the shelf life of the dosage.  With this sensor it can track the ambient temperature of the environment in which the insulin is stored, allowing alerts to be sent to the patient, caregiver, parent, or medication provider allowing them to save millions of dollars of insulin from being thrown away due to poor storage conditions. (Scorxton, 2015)

Along the same lines, the company Dexcom has created a constant glucose monitor (CGM) that can be implanted under the patient’s skin allowing it to constantly check the patient’s glucose levels.  It reports this back to a mobile phone or device that the user has on their person.  It then reports back to a cloud provider so that doctors, caregivers, patients, and parents alike can view the data, receive alerts when their glucose is too high or low, and react accordingly.  This is an immense step forward for diabetics and the normal method of pricking the finger for blood on a scheduled basis.  The patient’s glucose levels could swing wildly between measurements causing them to struggle with managing their disease.  With this constant monitoring, the patient can keep their glucose level in check on a consistent basis, thus extending and improving their quality of life.

Process Improvement

The ability to improve the manufacturing process is another advantage of the IoT that corporations are trying to capitalize on.  Manufacturing automation has increased over the past thirty years. With the additional insight and tracking provided by these microcontrollers, corporations can now track each unit of production at every step of the process.  They can even track their supply chain from initiation to sale, how long it was at each step in the manufacturing process, and control the inventory of these products to reduce waste of manufacturing time and materials.  “Smart manufacturing is about creating an environment where all available information—from within the plant floor and from along the supply chain—is captured in real-time, made visible and turned into actionable insights. Smart manufacturing comprises all aspects of business, blurring the boundaries among plant operations, supply chain, product design and demand management. Enabling virtual tracking of capital assets, processes, resources and products, smart manufacturing gives enterprises full visibility which in turn supports streamlining business processes and optimizing supply and demand.” (O’Marah, 2015)

An example of manufacturing taking the benefits of IoT to their full potential was brought forward by Maciej Kranz in his blog post mentioned earlier.  He states, “Harley-Davidson connected its operations and reduced its build-to-order cycle from 18 months to two weeks, accelerated decision-making by 80 percent, and increased profitability by three to four percent.” (Kranz, 2016)  Not only did this improve cost efficiencies on the production line but this also improves Harley-Davidson’s brand with their community.

Control Network

Transportation has also benefited from the IoT.  Driverless cars are becoming reality with a plethora of sensors that can be tied into microcontrollers built into cars.  They then communicate across the cellular network and localized methods to other cars in their vicinity to direct the flow of traffic with no intervention from the driver.  When you get home your house is also becoming more intelligent each day with the use of smart thermostats, smart security systems, smart assistants (such as Amazon Echo), and smart TVs that can now access internet based content such as entertainment providers like Netflix, Hulu, and others.  Even smoke and carbon monoxide sensors are becoming intelligent and can contact the local fire department through the internet while at the same time sending you an alert through your phone or by other means.

A real life example for the benefits of the IoT comes from PepsiCo.  PepsiCo is beginning to utilize an army of IoT devices to track crops, shipments, and more in what it calls “The Digital Value Chain.”  Flying drones with sensors utilized to determine moisture and fertilizer saturation are being utilized in an automated fashion to track the state of crops and allows them to efficiently utilize their resources in growing the most effective crop of materials possible to create their products.  Mobile sensors are utilized in their shipments to track each palette of product to enhance efficiencies in supply chain control.  This cuts down on wasted product, provides for a fresher product, as well as delivering it as close to the moment of purchase as possible. (Banker, 2015)

IoT Issues

The power of the IoT is tremendous, but so is its potential for malicious attacks.  Over recent years these devices have demonstrated the amount of damage they can do to the internet let alone companies and individuals who are victims of these attacks.

Botnets & Attacks

Many IoT devices are vulnerable to basic attacks allowing “Distributed Denial of Service (DDoS) botnets to amass up to a million devices.” (Arbor Networks, 2016)  There are many botnets on the internet that are used for whatever purpose the highest bidder wants to execute.  These botnets go by the names of Mirai, Lizkebab, Bashlite, Torlus, and gafgyt.  Once these devices are recruited into botnets, they are sold on the dark net to do the buyers bidding for as low as $0.06 per bot for a time limit of two weeks.  They can be used for both volumetric and application specific DDoS attacks and any other devious activities the buyer has in mind.

One example of the devastation that can be caused by these botnets was this past October’s attack on Dyn, a national DNS service provider for companies such as Twitter, Netflix, Walgreens, GitHub, DirecTV, Ancestry.com, Zillow, and many others.  Each infected device was given directions to target DNS queries against Dyn’s Managed DNS solution globally.  These attacks came in waves and degraded or denied access to their service globally.  Due to the massive quantity of devices utilized in this attack, it was unlike any other and was an unprecedented attack which made finding the culprit devices difficult, as Dyn has survived other DDoS activities previously.  Level3 provided live maps of the outage which put into perspective the effects of the attack. [Figure 1] (York, 2016)

New devices are manufactured daily that can be recruited into these botnets as well.  Due to the lack of basic security standards and protections that have been taken for granted by the majority of industries globally, many of these devices are being implemented with default credentials, clear-text management communication, and software vulnerabilities that can be exploited to gain access into these devices and drop malicious payloads to control them.

IoT devices can be utilized for more than just botnets; they are also proxies for hiding a bad actor’s true identity, allowing them to perpetrate tax refund and credit card fraud as well as other cybercriminal activities with limited or no trace of their true identity.

Privacy Concerns

With IoT devices collecting, monitoring, storing, and transmitting large amounts of data regarding our personal lives, our own privacy is at risk as well.  As Dennis Fisher stated, “IoT devices are capable of collecting, transmitting, and sharing highly sensitive information about consumers’ bodies and habits.” (Fisher, 2016)  In a previous example of the CGM devices for diabetics, their personal and classified health information is subject to disclosure if these vendors and manufacturers of CGM devices do not provide due diligence in their architecture, design, and lifecycle management.  Health Insurance Portability and Accountability (HIPAA) regulation does not yet cover these specific IoT devices and the securities that should be implemented around them.  The Payment Card Industry (PCI) is a step ahead as they have been utilizing mobile card readers for over a decade, which the industry could learn from, but this industry has also had its issues with information disclosure.  The likes of the Target and Home Depot breeches have been seen in more and more cases where malware has invaded these environments to collect data.

Home monitoring, security systems, manufacturing sensors, and global tracking devices are all collecting sensitive data that when put into the wrong hands can provide a bad actor with information that could put both families and companies at risk.

Financial Loss

With IoT devices being integrated into assembly lines, manufacturing control, and even public works control systems, these devices can be hijacked and used as hostages to extort money from companies to allow their facilities to keep manufacturing their product.  Payment systems are also vulnerable as we have seen over the past decade with the previously mentioned breaches of Target and Home Depot which have exposed user payment card data to bad actors where the information was sold to the highest bidder.   The lost payment and PCI related data can then be used to commit fraudulent purchases, open credit cards or loans, and even commit tax refund fraud costing not only the effected individuals time and money to clear up their record, but it also costs banks and companies alike in the money lost with these fraudulent transactions.

Personal Risk

On top of the previous statement of financial loss in the public works system, these could even be utilized in hacktivism and terrorism plots to take down power, disturb or halt water treatment facilities, and (depending on how far these go into the medical field) end someone’s life.  The impact to personal lives depends on how far we take the IoT into our critical infrastructure and healthcare system and whether it is exposed to the internet.  In a whitepaper from thingworx written by Rob Black he calls out examples regarding IoT security where lives of individuals could be at risk.  “Security researchers recently demonstrated that they could remotely disable the wheels and brakes of a popular sports utility vehicle.  Students remotely took control of the pacemaker implanted in a robotic dummy patient used to train medical students and showed they could cause life-threatening injuries to or even kill a real patient if it had actually been implanted in one.  Hackers demonstrated the ability to take control of a Wi-Fi connected rifle to aim it at a different target or prevent it from firing.” (Black, 2016)

In each of these scenarios, the malicious entity could take advantage of these devices to hijack, ransom, or even kill those that they wish to target.  These are grave security concerns which the industry needs to take into consideration when creating their IoT devices.

Security Exploits

With an understanding of the benefits of IoT as well as what security risks are generally exposed, there are some vulnerabilities that have been exploited that point out specific security practices that should be formalized into the IoT industry to further increase our security posture.

Mirai Botnet

Mirai is an open source malware that preys upon IoT devices with lax security controls.  While not an exploit, this botnet is a list of known devices with usernames and passwords that are either the defaults or even hardcoded into the systems software.  Usernames and passwords are sometimes even hardcoded into the firmware of the device and is immutable or not resolvable without a full device replacement.  Mirai scans the internet from each infected device to spread itself even further across the internet, in the same fashion that worms used to spread across the internet. (Krebs, Source Code for IoT Botnet ‘Mirai’ Released, 2016)

Once these devices have been enrolled into the massive botnet, they report back to a central Command & Control (C2) server where it can receive its orders and in an orchestrated fashion with the rest of the botnet based upon the desire of the central authority.

The reason why these devices are easily preyed upon is not only because of the lack of security controls and auditing from the vendor’s perspective but it also boils down to the end users not seeing any impact to this exploited device.  There’s no visibility into the end host that would give them signs that the device is compromised like malware of old which could cause system lag and even abnormal behavior.  With this lack of visibility and lack of security awareness from the vendor’s perspective, this creates a large highly vulnerable mass of assets that are ripe for the taking.

Those responsible for the creation of Mirai have now opened sourced their software, giving anyone the power to create a botnet from the plethora of available, uninfected devices to perform their cybercriminal acts.

SSHowDown Proxy Attack

Akamai reported on SSHowDown Proxy Attack in mid-October of 2016 where they found multiple IoT devices performing a credential stuffing campaign on internet services.  Credential stuffing is a more sophisticated version of brute force attacking where you have a list of compromised accounts from previous attacks that you utilize to see if those same users have an account on your targeted application.

SSHowDowN is based off of a vulnerability in OpenSSH that was reported back in 2004 under CVE-2004-1653.  Ezra Caltum & Ory Segal from Akamai state, “We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of IoT devices.” (Segal, 2016)  The issue here was that TCP forwarding was enabled by default in OpenSSH and thus was enabled by default on many of these IoT devices that utilized this software.  With TCP forwarding, the malicious party was able to send their traffic encrypted from their source to the compromised IoT device.  It would then forward the inner packet on to the destination unchanged, thus hiding the original users source.

IoT manufacturers are failing to provide a simple, automated, and non-disruptive way to upgrade their devices.  IoT manufacturers are also failing to perform basic security patching during the production lifecycle of their products, rarely providing patches to end users either. (Krebs, IoT Reality: Smart Devices, Dumb Defaults, 2016)  With a simplified process and basic security assessments being performed on the software utilized by these IoT vendors, this issue could have been avoided entirely as they would have turned off this option in newer versions of OpenSSH by default.

Zombie Zero

In 2014, TrapX released a report regarding a suspected nation-state sponsored targeted attack against multiple logistics and shipping industries.  This malware was preloaded inside of a handheld scanner utilized in this industry for tracking inventory and shipping packages. Once these devices were connected to the corporate network they began a set of automated, polymorphic attacks to breach security at the company looking specifically for servers with any kind of financial information available to be captured and exfiltrated to the C2 servers abroad.

TrapX reported “Weaponized malware was delivered into customer environments from the Chinese factory responsible for selling a proprietary hardware/software scanner application used in many shipping and logistic companies around the world.

“The customer installed security certificates on the scanner devices for network authentication, but because APT malware from the manufacturer was already installed in the devices, the certificates were completely compromised.” (TrapX Security)

It continued to morph to bypass security controls until it had achieved its goal of finding the financial data it was looking for, which was then exfiltrated and utilized for unknown purposes now.

Security can be placed around these devices, but if they come implanted with malware to begin with, this provides no real security.  In the scenario from TrapX’s report, these devices were installed with authentication certificates to validate their authenticity on the network.  They were then placed within a trusted environment to report back to a financial Enterprise Resource Planning (ERP) system.

Auditing of the software/hardware utilized within our IoT devices needs to be scrutinized on a consistent basis.  An initial deployment might not be compromised, but subsequent patches or enhancements might be compromised.

HummingBad/HummingWhale

HummingBad and the subsequent variant HummingWhale are Android malware instances that infect their device and start displaying fraudulent ads that generate revenue for the perpetrator.  It does this all without needing to gain elevated privileges and also spreads itself by downloading additional software without the user’s awareness.

Check Point reported on this in their Threat Research column on January 23rd, 2017.  In that report they state, “Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. The infected apps in this campaign were downloaded several million times by unsuspecting users.” (Koriat, 2017)

Malware variants can come through any software we install, not just from the OS and default software we deploy as part of the device’s original intention. Consistent security scrutiny and application control needs to be exercised by companies distributing this software.  In this case, Google’s Play Store software validation failed its community by performing poor software security validation and selling/distributing this software to its customers.  Consistent awareness, scrutiny, and software validation must be executed on all software utilized in your IoT environment, not just the software you purchase as part of your original deployment.

Security Improvements

Each of the previous vulnerabilities calls out a subset of the factors that should be taken into consideration for improving the state of security around the IoT industry.  We will now go in-depth as to why each of the below changes I’m suggesting are necessary and how they can make a positive impact on our security for the future.

Standards and Guidelines

Many security experts have agreed that creating a security guideline and best practices specifically for IoT is required.  Europe is even working on making such a security standardization that will be required for manufacturers. (Krebs, Europe to Push New Security Rules Amid IoT Mess, 2016)

Even though this standard is not yet available, normal security best practices are still valid for these types of situations.  The Open Web Application Security Project (OWASP) creates a detailed and extensive list of web based application vulnerabilities commonly found across the globe.  They have proactively created a draft for manufacturers to utilize as guidance for their IoT security standard.  They range from basic encryption in transit, to logging and auditing features for these devices.  By utilizing even this basic list of security guidelines as a standard to build upon, we can remove a large majority of basic attacks which we’ve seen over the past decade as the IoT ecosystem has grown. (OWASP, 2017)

Manufacturers are beginning to see the financial impacts of their mistakes in recent months.  Specifically, the manufacturer Dahua has been at the forefront of these security weaknesses which are driving their customers to scrutinize Dahua’s products further and even sue for damages.  On top of these legal actions, they are also obligated to replace the effected devices as some of the vulnerabilities are hardcoded into the devices firmware, and cannot be remediated with a simple software upgrade. (Krebs, Europe to Push New Security Rules Amid IoT Mess, 2016)

Patching

Canonical, the developer of the widely known Linux operating system Ubuntu, recently performed a survey of customers regarding patching.  The results showed that nearly two thirds of customers believe that it is not their responsibility to patch their software, and rarely check for patches. (Rouffineau, 2016)

IoT devices need to update automatically and without service interruption.  This allows the end user to have a secure environment without having to manage it.

“One of the key security problems that researchers have cited with IoT devices is the impracticality of updating them when vulnerabilities are discovered. Installing new firmware on light bulbs or refrigerators is not something most consumers are used to, and many manufacturers haven’t contemplated those processes either.” (Fisher, 2016)

If you take into account the amount of time and resources it takes to update a single device, and multiply that by how many devices a single household will have by the year 2020, each person will have to handle roughly 3.4 devices worth of upgrades, software management, and general auditing to make sure their device is secure. (Prieto, 2016)  For the general user, this requirement is too much to ask of them as very few people understand the risks associated with unpatched devices nor do they feel they have the time to manage all of these processes.

Auditing

Software development will often include software libraries and add-ons that are developed and maintained by other organizations.  This not only reduces the overall development lifecycle for a product, but it also brings standardized protocols and functionality.  With these shared libraries also comes a shared risk for all of those involved with using them.

Continued review and understanding of what libraries/add-ons are integrated to the software needs to be executed by both the vendor and customer.  When OpenSSL released its vulnerability known as Heartbleed, many organizations were keen to the fact and updated appropriately.  But in the case of the poor default configuration in OpenSSH, this was not a widely known issue and vendors continued to utilize the vulnerable library in their applications, thus creating an inherent vulnerability in their own application.

Even if legislators do not come to an agreement as to what type of regulation they will apply to their devices, there should be an accreditation created among the IT security group (SANS, ISC2, etc.) that will give legitimacy to software and IoT auditing.  This can be equivalent to the certifications from ISO, PCI, and others where an external auditing organization validates that the manufacturers are following specific criteria.

Training

Training and practice will bring any organization up to a higher level of security standard.  Breeches and phishing are most often due to lack of understanding by end users, and IoT security falls along those same lines.  Many organizations implement cyber security training in their security strategy so that their user base can provide the necessary security to their assets and information.

This same type of training should be widely available and provided to people worldwide, so that they can be better prepared to respond to security issues that may arise, and so that they will be more aware of the purpose and necessity for scrutiny, patching, and continued education.  We could have security awareness training built into basic computer courses in college and K-12 classes so that the security best practices can be taught from a young age and reinforced up through their college years.  There could even be government funded public service announcements to help educate the community abroad to the far-reaching effects of bad security practices.

Research has shown that in its current that users are poorly trained to understand these risks to their privacy and security.  Infosec Cloud states that 97% of people around the globe cannot identify a phishing email, and 74% of these same users would download malicious files due to their lack of training.  Now these don’t directly relate to IoT security, but it does coincide with the lack of basic security training amongst users. (Infosec Cloud, 2016)

Legislation

At times, legislation is the only way to create a greater environment for the common good.  Without regulations and stipulations behind them, some companies are unable to justify the costs of securing their implementations and products.  This provides these companies with justification to fund basic security and provides them with guidelines to meet so that there is a standard level of security.  European legislators are pushing to regulate this new breed of devices so that manufacturers are required to pass a security assessment which allows them to achieve a security accreditation that users can recognize, like the UL or FCC electronics industry markings.  This would provide consumers with a level of trust with the products that they are providing in that they are using secure software, and providing secure communication and updates for these devices through the lifetime of the product. (Krebs, Europe to Push New Security Rules Amid IoT Mess, 2016)

As part of his last year in term, President Barack Obama commissioned a report as to what President Donald Trump should tackle as part of his Cybersecurity strategy.  IoT is one of the top issues as part of this report. (Krebs, DDoS, IoT Top Cybersecurity Priorities for 45th President, 2016)  Aside from these few legislative activities, there has been little traction from governments abroad to provide legislation to force manufacturers to meet a specific security standard and to continuously patch their products through their life cycle.

The FTC is driving this effort by rewarding the public with $25,000 for solutions to automatic IoT patching. (Thibodeau, 2017)  The open source crowd has proven multiple times that it can come up with inventive and influential ways of solving problems such as IoT security.  With this incentive to provide the ability to automate patching and other standards from a government agency (or even a privatized business would suffice), this should give the monetary backing to individuals to create new solutions to the problem.

Conclusion

The future for the IoT industry is bright and full of wondrous opportunities.  Healthcare monitoring that can occur constantly and in a minimally intrusive manner while updating caregivers and doctors alike is a phenomenal improvement for their quality of life.  Farming communities can improve their resource utilization, reduce the amount of pesticides to only the necessary, increase water efficiencies, and provide for a more efficient, cost effective, and higher yielding crop.  This gives a bright outlook for our world where many countries are suffering from a lack of food.  Assembly line and manufacturing supply chains can be monitored to provide efficiencies, cost reduction, and increased production uptime to reduce waste in our manufacturing process and provide just enough product for the market’s needs.  With all of these possibilities and the guidance of knowledgeable security minded individuals leading this innovation we will be able to achieve the next level of great innovation since the creation of the Internet itself.

References

Arbor Networks. (2016, October 10). ComputerWeekly.com. Retrieved from The Connection Between IoT and DDoS Attacks: http://docs.media.bitpipe.com/io_13x/io_132434/item_1434568/ArborNetworks_CW_IO%23132434_Eguide_101016_LI%231434568.pdf

Banker, S. (2015, May 25). Using IT as a Competitive Weapon: Dow Chemical, PepsiCo, and the Internet of Things. Retrieved from Logistics Viewpoints: https://logisticsviewpoints.com/2015/05/25/using-it-as-a-competitive-weapon-dow-chemical-pepsico-and-the-internet-of-things-2/

Black, R. (2016). Protecting smart devices and applications throughout the IoT ecosystem.

Fisher, D. (2016, June 3). FTC Warns of Security and Privacy Risks in IoT Devices. Retrieved from Onthewire.io: https://www.onthewire.io/ftc-warns-of-security-and-privacy-risks-in-iot-devices/

Infosec Cloud. (2016, January 4). Security Awareness Training – The Numbers. Retrieved from Infosec-cloud.com: http://www.infosec-cloud.com/security-awareness-training-the-numbers/

Koriat, O. (2017, January 23). A Whale of a Tale: HummingBad Returns. Retrieved from Checkpoint.com: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/

Kranz, M. (2016, November 21). Building the Internet of Things: A How-To Book on IoT. Retrieved from blogs.cisco.com: http://blogs.cisco.com/digital/building-the-iot

Krebs, B. (2016, December 16). DDoS, IoT Top Cybersecurity Priorities for 45th President. Retrieved from KrebsonSecurity.com: https://krebsonsecurity.com/2016/12/ddos-iot-top-cybersecurity-priorities-for-45th-president/

Krebs, B. (2016, October 16). Europe to Push New Security Rules Amid IoT Mess. Retrieved from KrebsonSecurity.com: http://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-iot-mess/

Krebs, B. (2016, February 16). IoT Reality: Smart Devices, Dumb Defaults. Retrieved from KrebsonSecurity.com: http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/

Krebs, B. (2016, October 16). Source Code for IoT Botnet ‘Mirai’ Released. Retrieved from KrebsonSecurity.com: http://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

NCTA. (2014, May 5). Infographic: The Growth of the Internet of Things. Retrieved from NCTA.com: https://www.ncta.com/platform/industry-news/infographic-the-growth-of-the-internet-of-things/

O’Marah, K. (2015, August 14). The Internet of Things Will Make Manufacturing Smarter. Retrieved from IndustryWeek: http://www.industryweek.com/manufacturing-smarter

OWASP. (2017, February 17). IoT Security Guidance. Retrieved from OWASP.org: https://www.owasp.org/index.php/IoT_Security_Guidance

Prieto, R. (2016, June 7). Cisco Visual Networking Index Predicts Near-Tripling of IP Traffic by 2020. Retrieved from newsroom.Cisco.com: https://newsroom.cisco.com/press-release-content?articleId=1771211

Rouffineau, T. (2016, December 16). Research: Consumers are terrible at updating their connected devices. Retrieved from Insights.ubuntu.com: https://insights.ubuntu.com/2016/12/15/research-consumers-are-terrible-at-updating-their-connected-devices/

Scorxton, A. (2015, April 9). Startup Insulin Angel uses internet of things to help diabetics. Retrieved from Computerweekly.com: http://www.computerweekly.com/news/4500244001/Startup-Insulin-Angel-uses-internet-of-things-to-help-diabetics

Segal, E. C. (2016, October 11). Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns. Retrieved from Akamai.com: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf

Spring, T. (2016, October 21). Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others. Retrieved from Threatpost.com: https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/

Thibodeau, P. (2017, January 4). FTC sets $25,000 prize for automatic IoT patching. Retrieved from ComputerWorld.com: http://www.computerworld.com/article/3154348/security/ftc-sets-25-000-prize-for-automatic-iot-patching.html

TrapX Security. (n.d.). Anatomy of the Attack: Zombie Zero. Retrieved from Trapx.com: http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-ZombieZero.pdf

York, K. (2016, October 22). Dyn Statement on 10/21/2016 DDoS Attack. Retrieved from Dyn.com: http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

 

Dyn DDoS Outage Map

Figure 1.

Level3 live outage map on Friday 5:20PM EDT during the Dyn DDoS on October 21st – (Spring, 2016)

The Growth of the Internet of Things

Figure 2.

NCTA Infographic representing the past and expected growth of the Internet of Things (IoT) – (NCTA, 2014)