Cheap devices, costly threats

Electronic components with weak security are leaving the door open for cyber pirates to wreak havoc.

The largest coordinated cyberattacks ever, which took down major websites in the US and Europe, such as Twitter, Netflix and Spotify this past October, have revealed a weak link in the growing Internet of Things (IoT), reports Quartz. Manufacturers of electronic components produce unsecured or weakly secured devices that leave the door open for cyber pirates to easily create havoc.

The October disaster has been linked back to Hangzhou Xiongmai Technologies, a Chinese company that built hardware and software for Internet-connected security cameras that were insecure. The cameras’ software and hardware were easily infected with the Mirai strain of malware, and through this contamination the cyber pirates were able to redirect huge flows of Web traffic to Dyn, a Domain Name System that serves as a first stop when computers connect to Internet sites. From there, floods of data reached the servers of Netflix, PayPal and others, creating a classic Distributed Denial of Service attack.

The default login usernames and passwords in Hangzhou Xiongmai’s and other suppliers’ devices were weak and, making matters worse, integrated the antiquated unencrypted Telnet service that allows remote computers to log in to them unchecked. “In the current age of IoT devices, this is not just leaving your front door unlocked, it is like leaving it open for anyone to walk through,” said Brian Karas, an analyst of the video surveillance industry at IPVM, a research firm.

The cyberattacks are the consequence of a fragmented global supply chain in which competition squeezes prices and sidetracks security concerns. It is the same system that brought exploding hoverboards into American consumers’ living rooms last year. “As hospitals, airplanes, and cars add Internet-connected devices,” writes Quartz, “it’s not just privacy that’s in danger — people’s lives will be too.”