Over 1 million Internet of Things (IoT) devices have been compromised in recent months and added to DDoS botnets created with the help of a malware family known as Gafgyt, but also as Lizkebab, BASHLITE, and Torlus. Lane Thames, Software Development Engineer and Security Researcher at Tripwire commented below.
“As security researchers, we love providing this type of useful information. We view changing default credentials, using encryption, locking down networks with firewalls, etc. as basic security hygiene. However, the bulk of the IoT market consists of non-technical consumers who, at this time, have very little (if any at all) knowledge of how to make these security conscious changes. This is a ‘technology’ component of security where it is up to the manufacturers to build more secure devices. For example, it is well past time to find a better ‘default credential’ solution. In other words, no one should be shipping devices with default credentials. Device manufactures should be considering new methods to replace the default credential model. The ‘human’ component of security must also be addressed in the long run. We will never have a society where everyone is a cybersecurity specialist. However, our current educational ecosystem is failing us on the cybersecurity front. As a society, we must start integrating the basics of cybersecurity knowledge within our education systems. Even if we could solve the technology component of cybersecurity, our efforts would be in vain without addressing the human component as well.”