By Michael Greene, CEO, Enzoic.
Millions of smart toothbrushes hacked and “turned into secret army for criminals?” Sounds like Hollywood pretense or something born from the collective imagination of today’s security pros and, in this case, it was.
In late January, Swiss publication Aargauer Zeitung wrote an article describing how hackers had launched a distributed denial-of-service (DDoS) attack against approximately 3 million smart toothbrushes. The story claimed damages to be millions of euros. Numerous English-language publications, including ZDNet, Tom’s Hardware and The Sun, picked up the story and reported on the attack.
It wasn’t until a week later that Fortinet, Aargauer Zeitung’s source, clarified that the situation was a hypothetical attack discussed during an interview—blaming a translation error for the misunderstanding. While there has understandably been some fallout over the viral nature of the story, I caution companies from dismissing this scenario entirely.
It didn’t happen, but that doesn’t mean it couldn’t. And while it’s unlikely that a connected toothbrush would cause the chaos outlined in the original Swiss article, it still serves as an important reminder that IoT devices remain a sought-after hacker target.
With that in mind, following are some important considerations to ensure their security:
Enable All Security Features
Many connected devices offer encryption or other additional security features. Too often organizations and consumers fail to enable them, making it much easier for a threat actor to compromise the device.
Strengthen Authentication
Using multifactor authentication (MFA) whenever possible is also an important step as part of a layered approach to IoT security.
Evaluate Unneeded Features
Another best practice is to disable any unnecessary features, as well as ensuring that any older unused devices are disconnected from the network. The latter often have outdated security, which can create a weak point on the network that cybercriminals can easily exploit.
Ensure Devices are Up to Date
Frequently check all IoT manufacturers’ websites for firmware updates and patches. If the smart device has an accompanying app, ensure that the most up-to-date version is in use.
Change the Default Settings
It wasn’t too long ago that many IoT devices were shipped with the same default password as standard—for example, in 2019 600,000 GPS trackers arrived all with 123456 as their password. While manufacturers no longer assign the same credential to all products out of the box, it’s still important to change the password and all other default settings prior to use.
IoT Security Demands Threat Intelligence
Unfortunately, changing a device’s password isn’t enough from an enterprise security perspective. People typically reuse passwords across numerous applications and systems, with one study finding that 72% of individuals deploy the same one in their personal life and nearly half of employees simply change or add a digit or character. Given the high rate of data breaches, all it takes is one attack for these credentials to be available on the Dark Web for threat actors to utilize in subsequent breach attempts.
This is a key reason that threat intelligence is a vital component of any modern IoT security strategy. Organizations need real-time insight into the integrity of the credentials used to secure and access connected devices so that they can take immediate action in the event of a compromise—and prevent any subsequent damages from occurring.
Giving IoT Security Some Teeth
Once the Aargauer Zeitung story was debunked, many articles pointed out that threat actors generally pursue attack avenues more closely linked to monetary gain. And while connected toothbrushes don’t contain financial data, the same can’t be said for enterprise IoT devices used for predictive maintenance, smart energy management, or occupancy monitoring.
As such, the hypothetical attack scenario is a timely nudge to ensure the security of these and other enterprise connected devices. The news media will soon forget about this viral (if untrue) story, but the same can’t be said for hackers’ fixation on smart devices’ security vulnerabilities.
