Fortinet didn't exactly go out on a limb last year when it predicted security problems for the Internet of Things (IoT). But it's worth noting that those predictions seem to be coming true this year.
The predictions were made by FortiGuard Labs last year, and Fortinet came back today with a blog entry evaluating its results.
Two of the four predictions had to do with the lax nature of IoT security, where the root cause seems to be that IoT lends itself to a kind of carelessness. Small devices don't get the security scrutiny that laptops or data-center servers do, neither from designers nor from end users, writes Derek Manky, Fortinet's global security strategist.
For example, a tendency to use default settings and passwords opens the door to attacks on machine-to-machine (M2M) connections, Manky writes. A tool called Shodan even lets you search for some of these devices.
"We have already begun to see regional trends where such information is used to ascertain not only whether a family is home or not, but also how far away they are or how long they are expected to be gone," Manky writes.
The cut-and-paste nature of IoT code helps make some vulnerabilities "endemic," he adds. "And since the majority of these devices are headless, there is no way to even update or harden them."
Ransomware has also found its way to IoT, as Manky notes. One high-profile example got demonstrated at the DEF CON conference earlier this month, when researchers from PenTest Partners showed they could hijack a smart thermostat.
Just as IoT devices are headless, so are attackers. Another Fortinet prediction was that unmanned worms and viruses would be unleashed to attack unmonitored IoT devices.
That one seems inevitable; in fact, it sounds like the kind of thing that's already happening whether IT security teams are aware of it or not. Manky cites the June discovery of a botnet that had spread to 25,000 closed-circuit TV devices, which then became the vehicles for distributed denial-of-service (DDoS) attacks.
"This is a perfect example of a criminal hijacking of dumb devices and then weaponizing them," he writes, cheerily adding that there aren't many options for updating or hardening these devices.