Recent Distributed Denial of Service (DDoS) attacks are forcing a shift in Internet-of-Things (IoT) security thinking. The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.
The estimates vary, but range between 20 and 30 billion of these systems will be connected by 2020. With the explosive rise of IoT, the focus has been primarily on hackers taking over devices and controlling them. Many of the risks highlighted in the past year has been in the transportation sector. Cars being hacked and control surfaces such as breaks, steering, and acceleration, compromised. The prospect of exploitable vehicles, under the command of others, is a scary proposition. Security researchers are showing what risks are possible. Such real-world attacks put people’s lives at great risk. Automobile manufacturers and government safety organizations are in a flurry trying to get ahead of any real-world attacks. High profile transportation exploits are but a sliver of the IoT world. These devices are everywhere and influence much deeper into our lives, woven into healthcare, industry, retail, manufacturing, and entertainment.
Connecting things to the Internet is the latest craze, allowing users the pleasure of remote control and monitoring of everyday devices. From cooking appliances, lights, home cameras, sports gear, electronics, sprinklers, and everything else one could image. They are becoming commonplace in homes, hospitals, office environments, stores, and all manner of vehicles. It seems that any normal device becomes even better if you can connect to it remotely. This is how we get the rapid growth of devices all communicating over the Internet. But all these machines, some as simple as a rice cooker or as complex as a Tesla, can all send information. This capability is where trouble now brews.
Over the past year, savvy hackers have seen the growth of IoT devices coupled with their apparent vulnerabilities, to be the next great resource. Designers are quick to get products out the door, but less serious about actually securing their wares. Who cares if a kitchen appliance connects to the Internet? Hackers, that’s who.
Bot-herders, as they are known, are always looking for victim machines to take over and control. In the past they typically targeted PC’s and servers. They hack the systems and install control functions which allow them to command their herd to conduct massive Distributed Denial of Service (DDoS) attacks. This pool of bots, which could exceed tens of thousands in number, then follow instructions given by their herder. By having all their soldiers flood a target site on the Internet with massive network requests, they can overwhelm sites and services to the point they cannot function. The more systems which take part, the greater the potential impact.
The problem with PC’s is they are becoming better defended every day. Anti-malware is pretty good at detecting problems and evicting botnets. IoT devices typically lack any sophisticated defenses and many are shipped with a default administrator password that can be found in online documentation.
Welcome IoT to the party. IoT devices tend to be much less defended and almost entirely unmonitored. When was the last time you inspected the outbound traffic from you home security camera, DVD, thermostat, or wireless router? If you are like most, never. How would you know if they were hacked and under the control of some cybercriminal or hacktivist? You wouldn’t. That is exactly why they are a great target. Poorly defended, always online, and almost never patched. A perfect victim. Now there will be billions of them.
Gartner predicts by 2020 more than 25 percent of attacks in enterprises will involve IoT devices. In the business world, IoT is a weak link. Spending for IoT security is expected to rise from $281 million in 2015 to $840 million by 2020.
Recent Attacks Escalate
The future is here. Simple IoT devices are being hacked in massive numbers and used as part of botnets to conduct DDoS attacks. Earlier in the year, over 25 thousand Closed Circuit Television (CCTV) cameras and Digital Video Recorder’s were controlled to attack small businesses. Over 50 thousand HTTP requests per second flooded in, for days. That is the power when you have many sources which are always online.
A popular botnet engine, LizardStresser, has expanded to embrace the power of IoT devices. LizardStresser has been used to create over 100 botnets in the past year. In July, one of those botnets was leveraged to generate attacks exceeding 400Gbps against commercial targets. They did so without amplification techniques which normally inflate attacks from a few powerful systems to be more impactful. This was an expression of raw power.
During the Olympics another IoT botnet upped the flow of malicious traffic to 540Gbps in an attempt to bring services down at the venue.
Earlier this month, the French hosting firm OVH, reported two concurrent DDoS attacks with a combined bandwidth near 1Tbps (1000 Gbps). One of the two attacks peaked at 799Gbps alone, making it the largest ever reported. According to the CTO, Octave Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the attacks was 145 thousand hacked DVR’s and IP cameras.
Most recently, the renown cybersecurity researcher and reporter Brian Kreb’s site was targeted with a highly complex DDoS attack. Protected by Akamai’s web service, the attack escalated to the point it was no longer financially prudent to support Krebs as a pro-bono customer. Previously, Akamai stated the largest attack they had seen this year was 363Gbps. The attack against Kreb’s site almost doubled that amount at 620Gbps, making it the largest DDoS attack they had encountered.
Based upon the size and complexity Josh Shaul, Akamai’s vice president of Web security, told the Boston Globe “This is the worst denial-of-service attack we’ve ever seen” and added that it might be the worst in Internet history. The costs to Akamai were tremendous. Shaul stated “If this kind of thing is sustained, we’re definitely talking millions” of dollars in cyber security services.
Krebs is back online, with a new DDoS protection provider. Heavyweight Google runs a free program, Project Shield, to protect journalists from online censorship. This will be an interesting matchup. DDoS botnets, powered by a growing IoT community, against one of the most innovative and powerful Internet companies.
Let's see if the Google powerhouse can withstand the DDoS onslaught that we all know it is coming. I believe if they cannot, they will do what they do best and innovate. Nobody does Internet innovation better or with more resources, than Google. We may see new technology, protocols, and DDoS protection solutions as a result of this matchup! I am excited either way to be ringside.
A turning point for IoT security
The world of IoT security is changing, fueled by a sharp rise in the size and complexity of DDoS attacks. A new reality is emerging, where the risks are no longer limited to attackers taking over the control of devices, but rather they are also exploiting these systems to conduct extremely powerful DDoS attacks. Pointed at critical internet systems, such as banking, telecom, and government services, such attacks pose a grave risk to bring down online-capabilities people rely upon. Such power could be wielded by malicious attackers to the detriment of everyone, just by taking advantage of the billions of weak IoT devices they can get under their control.
IoT botnets will continue to rise. Right now they are easy resource to harvest. IoT device manufacturers must act now to build in better security capabilities and controls. This must start with internal prioritization and security teams who own the architecture and design, define testing parameters, and actively manage post-release issues. Otherwise these systems, massive in number, can cause global impacts not easily remedied by currently available security solutions. This may usher in the next generation of denial-of-service attacks, extortion, free-speech manipulation, and nation-state cyberwarfare tactics. The stakes are higher in this new game of IoT botnets.