A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for "improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers."
Friday's big cybersecurity attack affected 80 major websites and was blamed on the Mirai botnet that largely targeted unprotected IoT devices, including internet-ready cameras.
Those devices were used by unknown attackers to overload servers at Domain Name System provider Dyn in a Distributed Denial of Service (DDoS) attack.
President Barack Obama said Monday that U.S. investigators "don't have any idea" who was behind the attack. He added on Jimmy Kimmel Live that future presidents face the challenge of "how do we continue to get all the benefits of being in cyberspace but protect our finances, protect our privacy. What is true is that we are all connected. We're all wired now."
Security experts recommended Tuesday that default usernames and passwords in IoT devices be avoided and said automatic updates of IoT software could help avoid similar attacks in the future.
"This attack should be a wake-up call about security issues across IoT," said Mark Dufresne, director of threat research at Endgame, a cyber security company based in Arlington, Va.
"There's a low barrier for entry for hackers due to IoT devices that ship with default credentials and lack automatic security updates to fix known flaws," he said in an interview. "As things stand today, we should expect to see more and more attacks involving IoT."
Default usernames and passwords are relatively easy for hackers to guess; there are even lists of default usernames and passwords available on an internet search.
Experts said several solutions to create a non-default approach are possible: Manufacturers could require a password be changed by a customer before the device is first used; a random number generator could be used to create a password for each device, with the unique password made available to the user; and the unique MAC (Machine Access Control) address of the device could function as the password until a user changes it.
For IoT devices to get automatic updates would require more processing power. Dufresne said adding such capabilities wouldn't necessarily be expensive.
"We see the dangers of this IoT running rampant," he said. "There's a continuum of bad to middling security and nobody is knocking it out of the park."
Even though DDoS attacks first hit the internet in the 1990s, they are still commonplace. AT&T on Monday released a survey of more than 700 IT decision makers that found that 73% of companies suffered at least one DDoS attack in the last year.
Sign up for Computerworld eNewsletters.