The IoT is already shaping modern society in various ways. While many of these are positive aspects that result in streamlined communications, easier access to information and a greater quality of life, there are some major roadblocks in the push toward widespread IoT implementation.

One of the primary concerns revolves around the security of IoT-connected devices. A demonstration by Avast at the Mobile World Congress (MWC) in Barcelona recently uncovered a flaw in current-gen IoT infrastructure. Not only can they potentially gain control over tens of thousands of different devices, but they can also use the assembled processing power to mine $1,000 of cryptocurrency in a matter of days.

Identifying the Easiest Targets

Although Avast's demonstration didn't involve a full-scale replication, it underscores serious security flaws in the nature of current-gen IoT devices. If a widespread attack did occur, hackers would likely focus on the weakest targets.

Unsecured home networks are ideal for this sort of hack. As the average homeowner continues adding new smart-devices to the home, the hacker's job becomes even easier.

The task of hacking into thousands of unsecured home networks and taking over 15,000 or more devices might be insurmountable for a lone hacker, but a team of experts could readily pull it off and begin mining cryptocurrency without the owners' knowledge.

Some hackers might target small businesses or even larger corporations. As these networks easily contain the necessary number of IoT-connected devices, an individual could quickly gain control over thousands of different systems.

Mining, in this context, is a process of verifying transactions across a cryptocurrency-backed network. Cryptocurrency miners use various tools — including hardware and software utilities — to solve sophisticated mathematical algorithms and, as a result, generate digital monies that are tradable for real-world goods or cash.

Since coins are often used for nefarious or downright illegal activities, hackers try to use the accounts of unsuspecting victims whenever possible to maintain anonymity and cover their tracks.

Many popular coins, like Bitcoin, require advanced hardware that’s available in current-gen smart-devices. But other cryptocurrencies, like Monero, are made to harness the power of many individual machines simultaneously.

Similar Incidents in the News

A flaw like this isn't the first time that IoT-connected devices have been proven vulnerable to hacking. As reported by IBM X Force, a revised version of the Mirai botnet is programmed to take over a device and mine cryptocurrency via Linux.

Mirai is disheartening to security experts. It was the botnet responsible for a 2016 DDoS attack that caused massive service outages on sites like Netflix, Reddit, GitHub, Twitter and more.

According to a statement released by IBM X Force, the botnet gains entry into a system via the BusyBox program on Linux-based machines. Considering that Linux runs some of the largest and most popular websites, operating systems and software packages, the potential for exploitation is very serious.

Fighting Back

Fortunately, you can take some steps to secure your network from outside threats — including the latest botnet hacks. Always make sure your devices are on a secure network and protected behind a strong password.

Update your hardware with the latest updates as soon as they're available from the manufacturer, and use software protection — like antivirus and anti-malware utilities — on smartphones, tablets, laptops and desktop computers.

To make the job even harder for would-be hackers, avoid connecting to public Wi-Fi whenever possible. Never keep your personal devices on the same network as your primary desktop or laptop, as this makes it easier for cyber-criminals to jump from one system to another.

Finally, make sure to change the default login credentials on any new device you add to the network. Many come with generic information that is easily exploited.

How the MWC Is Protecting Our Networks

The Mobile World Congress — dubbed the "world's largest gathering for the mobile industry" — is organized by the GSM Association. Sometimes known as the Global System for Mobile Communications or simply "the GSMA," the organization began hosting events in 1987. It remains the largest conference in the mobile industry, and it continues to highlight new security flaws and solutions — including problems with IoT connectivity — to this day.

Stay up to date with the trends of these devices and activity surrounding them, and you’ll have a better shot at fighting back against hackers.

The recent distributed denial-of-service (DDoS) IoT attack against DNS is a wake up call to how fragile the Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.