The Internet of Things (IoT) is the lighting industry’s saviour as revenues from luminaires start to decline. But as companies rush to get IoT products to market, is cyber security being sacrificed for the sake of a quick buck?
At this year’s Lux Live ethical hacker, Ken Munroe of Penetration testing and security services, will give a live demonstration of just how vulnerable connected lighting products are to attack and manipulation.
At the start of October hackers unleashed one of the largest internet attacks and they did so by utilising IoT devices, such as thermostats and smart lights.
Labeled as a distributed Denial-of-Service (DDoS) attack, the onslaught involved the ‘enslaving’ of IoT devices as botnets, so that they could be taken over and manipulated. In this case, the hijacked devices were used to send messages to flood internet service provider OVH’s web-server with requests, overloading it and causing it to crash.
The attack and its scale came as no surprise to Munroe, who has been issuing warnings about just such an event for some time. ‘We speculated four months ago in a blog post on our website that such an attack was highly probable. IoT makes for the perfect botnet as it is easy to compromise, hard to patch and the owner likely won’t ever have a clue that they’re even part of the botnet.’
During the OVH attack, 150,000 IoT devices were manipulated and the onslaught is just the latest in a long line of strikes that have been powered by hijacked IoT devices.
‘Companies are simply not doing enough to improve IoT security and there is a lack of awareness and a certain laziness in their attitude towards the issue.’
‘Companies are simply not doing enough to improve IoT security and there is a lack of awareness and a certain laziness in their attitude towards the issue,’ Munroe told Lux.
The IoT powered onslaughts are only likely to worsen after the release of the Mirai botnet source code into the public domain. The code contains the necessary information needed to hack into IoT devices and ultilise them for use in Denial-of-Service (DDoS) attacks.
Security experts are worried that IoT devices are being built upon outdated operating systems using code that has not been properly tested for security loopholes, which hackers will exploit.
DDoS onslaughts are usually carried out by criminals looking to blackmail the company they are attacking, however many firms are still not investing enough in security, despite the obvious and growing risks.
Munroe believes that IoT manufacturers need to act now to prevent much more serious security breeches in the future. ‘Governments are becoming more and more concerned about the security risks that IoT poses, and the UK, US and EU governments are even considering legislation to compel firms to act.’ The US Congress, for example, is mulling installing some kind of consumer protection into law to protect IoT consumer’s privacy, although talks are still at a very early stage.
The issue is of growing concern, especially as IoT is expected to grow significantly over the next decade. A survey carried out by Accenture, the global professional services firm, found that thirteen percent of consumers currently own an IoT device, by 2019, this expected to rise to 70 percent.
Hacking will be dicussed in the IoT Arena at this year's Lux Live. In a unique live demonstration, Ken Munroe of Penetration testing and security services, the UK’s leading ethical hackers, will conduct live penetration testing to explore the robustness of the systems produced by the industry. You can find out more here. The LuxLive 2016 exhibition will be held in London on Wednesday 23 November and Thursday 24 November 2016. Ken Munroe's talk will take place at 11:00am on Thursday 24th of Novemeber in the IoT Arena .