First, knowing the default passwords for pieces of key equipment could give someone access to hundreds of thousands of consumer devices and tens of thousands of industrial devices around the world, from gaming platforms to industrial-control systems. So as the world’s security experts debate the impact of the latest sophisticated hacking attempts from China or the encryption possibilities of quantum computers, just knowing factory passwords means someone can access any device once it leaves the factory and is connected to the Internet.

Second and more concerning, the bot discovered other bots. Carna wasn’t the only unauthorized bot checking for open ports on devices around the globe. Carna was written as a public service for an exploratory project, and it built a botnet to do the census. But, the census taker found several competing botnets, and an enormous, sleeping, network of bots called Aidra, which had compromised as many as thirty thousand devices. Aidra had the power to hijack not just computers but gas meters, refrigerators, microwaves, car-management systems, and some mobile phones. The bots could attack any network infrastructure for a client with a denial-of-service attack. Carna Bot performed the public service of temporarily disabling any Aidra bots it found.

 

Eoin Treacy's view

Just about every month there is news of another organisation that has had its data stolen. As a result the discovery last year of the theft of SIM card encryption keys from Gemalto that occurred in 2010 or 2011 tends to be forgotten. However, there is some pretty clear evidence that it was the USA’s NSA and UK’s GCHQ that colluded to steal the data. It’s worth bearing this in mind when Chinese hacking is so publicly denounced. 

An international treaty on cyber security would go a long way to moderating the fears people have about internet security. The number of connected devices is ballooning and networking technology is becoming ubiquitous so that nefarious elements can do today what would have been the preserve of governments only a few years ago. Since this is a growth field and because it is difficult for parties to gauge how sophisticated their opponents are the potential for a treaty which would establish equilibrium is looking distant. 

Considering how quickly the Internet of Things is progressing the requirement for enhanced cyber security, insurance and investment in R&D all represent growth industries.