Director of National Intelligence Warns of IoT Security Threats

According to Director of National Intelligence Daniel Coats, IoT devices may be used to shut down US intelligence operations in the future. From a report: At an open hearing today, the Senate Select Committee on Intelligence (SSCI) heard testimony on the worldwide threat assessment of the US intelligence community. Coats' opening statements included a warning of the dangers of poor smart device security as well as the continued inevitability of Russian cyber threats. Coat's testimony lists these concerns first, with Russia topping the list of enemy actors. Coats says that the Kremlin has taken a much more aggressive "cyber posture," which "was evident in Russia's efforts to influence the 2016 US election." Coats' report (PDF) also says that Russian actors have conducted attacks on critical infrastructure networks, even going so far as to pretend to be third parties hiding behind false online personas. "Russia is a full-scope cyber actor that will remain a major threat to US Government, military, diplomatic, commercial, and critical infrastructure," says Coats in the written version of his statement. The document notes that China, Iran and North Korea, as well as terrorists and criminals, are also threats. Coats also spoke at length about "smart" devices, which have increased the number of vectors that hostile actors can attack. The denial-of-service (DDoS) attacks that we already see will only become more prevalent. These botnets use weakly-protected IoT devices to overwhelm websites and other networks. "In the future," Coats says in his report, "state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks."

At an open hearing today

[turkeydance]

nothing new was revealed

He's right.

[Gravis+Zero]

The Internet of Shit is both an immediate and persistent threat because not only do these devices exist, more are being connected daily. The problem is that the companies are not getting the negative financial feedback (punishment) that they need to correct their behavior.

I've said it before but it's worth repeating.

IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

The best option is to hijack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

Don't worry, Imminent Death of Interenet Predicted

[Ungrounded+Lightning]

These botnets use weakly-protected IoT devices to overwhelm websites and other networks. "In the future," Coats says in his report, "state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks."

Not to worry. There might not be a functioning Internet around for a while.

Last Friday enough information came out about the Intel AMT authentication bug to let people of ordinary skill construct a worm using it for transport, which could take over the bulk of the Internet-connected Intel-based devices - or at least the subset run by IT shops which use AMT for remote administration. This could easily be weaponized to effectively take out the Internet, quickly, for substantial periods of time, and possibly repeatedly.

The bad guys have had almost a week to work on it now. If we don't start seeing some fallout by next week, it just means that everybody who's doing it is saving it for a big hit, and/or is very good at stealth (with the stuff they're already spreading).

But given how many could be playing, I find it hard to believe SOMEBODY won't screw up and do something visible by accident. (Something like the claim that the Morris Worm was an experiment that escaped the lab during development.)

= = = = =

(After 48 years it's finally my turn to publish an "Imminent Death of the Interenet Predicted" posting - even if it's at least half tongue-in-cheek. B-) )