Are Home-Based IoT Cyber Exposures Part of Your Insurance Strategy?


There’s a new and broadening entry point for cyberattacks, and its name is IoT. Connected devices bring a plethora of exposures that will need to be insured one way or another – the question is, how? And it’s a question that demands an answer.

When a Minecraft botnet took down the Internet

Two years ago in Alaska, three college-age friends pleaded guilty to “masterminding an unprecedented botnet” which “unleashed sweeping attacks” on Internet services across the world, Wired reported.

They hadn’t meant to. They were trying to win a game of Minecraft. But their actions incited one of the “biggest security scares of 2016,” an election year, in which various unsecured IoT devices such as security cameras and wireless routers were infected by malware. Together, these devices formed a botnet named Mirai: a network of zombie computers executing distributed denial of service (DDoS) attacks on a global scale.

“The teens were using it to run a lucrative version of a then-common scheme in the online gaming world – a so-called booter service, geared toward helping individual gamers attack an opponent while fighting head-to-head, knocking them offline to defeat them,” Wired said.

But gamers weren’t the only ones getting knocked offline. The “self-replicating computer worm” they created quickly “enslaved some 600,000 devices around the world,” paralyzing servers and applications by flooding them with network traffic. Mirai crushed the French hosting provider OVH, the website Krebs on Security (run by industry-leading security reporter Brian Krebs), and whole Internet of Liberia. Suffice it to say, the botnet “was an insane amount of firepower.”

How did it manage to bend so many IoT devices to its will? Simple – their human owners had never changed the default security settings.

“Since most users rarely change default usernames or passwords, it quickly grew into a powerful assembly of weaponized electronics, almost all of which had been hijacked without their owners’ knowledge,” Wired said.

Default passwords – simple fix, major problem

Every year, the Verizon RISK team investigates hundreds of security breaches and disseminates an annual report on its findings. Every year, default passwords prove the culprit behind countless, extremely costly incidents.

Here’s how it works. When a user purchases a connected device, per manufacturer instructions they’re supposed to replace the default username and password with custom settings. If they don’t, the device operates on its defaults – which are painfully easy to guess. For example, a default username might be “admin,” and a default password might be “password.” By not changing the defaults immediately, users turn their devices into sitting ducks.

In fact, changing a default password may be the most basic security safeguard possible. Yet every year, the RISK team traces multiple major breaches to a failure to do so. According to the team’s latest Data Breach Investigation Report, 2017 was no exception. Even major enterprises have been guilty of the same elementary security error – Equifax being a noteworthy example, as reported by CNBC.

The fact that preventing this particular vulnerability is such a quick fix becomes all the more cringeworthy when a breach leads to millions, even billions, of dollars of damages. And the fact that this continues to happen shows just how far we have to go in reducing cyber risk.

IoT exposures for homeowners and businesses

Which brings us to our next point. Hacking default passwords isn’t the only way in which connected devices can be exploited. It’s simply one of the most common vulnerabilities, paired with one of the easiest fixes. But cybercriminals are capable of much more sophisticated attacks, as well. Bottom line, cyber risk is widespread, its scope is vast, and it plays out on many levels.

Likewise, while the victims in the story above happened to include a journalist, a hosting provider, and an African country, these aren’t the only possible victims of IoT exposures. There are many contexts where connected devices can be breached, and the damages that ensue can affect many parties: businesses as well as homeowners.

Last year, IoT For All explored a couple examples:

  • The FDA identified vulnerabilities in implantable cardiac devices from St. Jude Medical, through which a hacker could deplete the battery or administer incorrect pacing or shocks – interfering with the devices’ ability to monitor patients’ heart function and prevent heart attacks
  • The SecurView camera, which can be used for anything from home security to baby monitoring, had faulty software “that let anyone who obtained a camera’s IP address to look through it – and sometimes listen as well”

Hacker Noon, meanwhile, raised concerns about other common IoT devices, including parental control systems, smart locks and mobile voice assistants.

How to insure these emerging risks?

When a connected device is attacked, it can harm more than just its owner. In the case of the zombie worm Mirai, connected devices belonging to parties around the world – from individuals to public or private entities – were taken advantage of without their knowledge. From an insurance perspective, questions fly fast on these heels:

  • If a person’s connected device is used to cause harm without their knowledge or consent, and it results in significant loss – either to them, or to a third party – who pays? Is the loss covered by the policyholder’s insurance, the device manufacturer’s, or some other policy?
  • Do homeowners’ policies need a cyber rider?
  • Do homeowners’ insurers subrogate against manufacturers?

At present, the industry doesn’t have answers to these questions. But it’s only a matter of time until insurers will be forced to face these questions head-on. Need an agile policy administration system to take your company into the future? Download our Policy Administration Buying Guide – Part 1 for ideas on how to select the right solution for your business.