A high-profile cyberattack has put the growing Internet of Things (IoT) space on notice.
Last month's distributed denial of service (DDoS) attacks on internet services company Dynamic Network Services temporarily brought down major websites including Twitter, Netflix, PayPal, and Spotify. The source: a botnet comprised of IoT devices--electronic gadgets such as cameras and televisions that connect to the web.
"Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a 'tragedy of the commons' threat to the continued functioning of the internet," Virginia senator Mark Warner wrote in a letter to the Department of Homeland Security and other federal agencies after the attack, according to cybersecurity blog Krebs on Security.
Experts advised consumers to change the passwords on their IoT devices, but that seemingly simple solution may not be so simple to implement.
"Firstly, most consumers don't think of passwords beyond their smartphones, tablets, and email and bank accounts. In fact, most are likely unaware their IoT devices even have password options. Secondly, not all IoT devices have consumer-facing interfaces that allow a password change," writes Mashable's Adario Strange.
Given those issues, the burden is on IoT companies to make their devices more secure, even if vulnerabilities are not necessarily solely their industry's fault. Chris Petersen, co-founder of security analytics company LogRhythm, says a first step for these companies is to program their devices to require users to change passwords upon first use.
IoT companies also should make the process of patching devices to fix security vulnerabilities as easy as possible, Petersen adds. Ideally, patches can be applied automatically without any user interaction.
Luma CEO and co-founder Paul Judge, whose startup builds internet routers, says home internet security is one area that could be useful for safeguarding vulnerable IoT devices. His company's routers are programmed to detect malware, and show users through an app what devices are connected to their home network.
"IoT devices in the home are small, powerful computers full of security holes and not running anti-virus. They are a hacker's dream," he says. "Cybersecurity must be built into the home network routers directly because IoT devices are vulnerable and users do not have the time to be the CISO [chief information security officer] of their home."
Armon Dadgar, CTO of data-center management startup Hashicorp, says IoT companies should do a better job of servicing their devices over time.
"Organizations need to consider the full life cycle of deploying, provisioning, updating, and deprecating devices," he says. "The attack highlights that many organizations only consider the deployment, and are unable to effectively inventory or update the devices once they are deployed."
Petersen says security holes are present in any products running software, but IoT items are especially vulnerable, a concern Dadgar echoes.
"What we are seeing is that any industry is now a target because they run software, which inevitably has bugs," he says. "We will not have bug-free software in the near term, so we need to get better at patching issues and improving our mean time to mitigation."