Recent internet attacks resulted in popular sites becoming unreachable, such as Twitter, Etsy, Spotify, AirBnB, Github, and the New York Times. These incidents have brought to light a new threat to online services: Internet of Things (IoT) botnets. Distributed Denial of Service (DDoS) attacks have been commonplace for over a decade but rarely been too troublesome. For the past several years’ network providers’ security services have been able to absorb such attacks to keep online properties available. But the game has now changed.
In essence, when a number of devices can be controlled to simultaneously flood a destination with network requests, the target becomes overloaded and legitimate requests cannot be processed. Traditional network filters are smart enough to recognize a handful of systems attempting this malicious behavior and simply drop all requests from them. But when thousands of different systems mount an attack, the normal filters fail to recognize legitimate from malicious traffic and the availability of the system crumbles.
Cybercriminals and hacktivists have found a new weapon in this war, the Internet of Things (IoT). Billions of IoT devices currently exist and can be as small as a piece of jewelry or larger than a tractor. They all have one thing in common, they connect to the Internet. This has tremendous benefits as people can monitor their home with cameras from afar, check the contents of their refrigerator while at the store, and do a myriad of other great things with these connected beneficial gadgets. We cannot forget however; these are just tools. They can be wielded for good or employed for malice. To hackers, each one of these devices is a potential robotic soldier, which they might be able to recruit into their bot-army.
The most recent attack, against a major DNS provider has highlighted this very fact to millions of Internet users. Botnets containing tens or hundreds of thousands of hijacked IoT devices can bring down major pieces of our beloved Internet. There is a lot of hype, fear, and speculation bubbling out of the shadows. We are at a tipping point. IoT devices now represent a new and formidable threat. The next few months will be telling. For now, let us cut through the hype and understand the important aspects of recent IoT DDoS attacks.
Here are 5 things you should know about the recent IoT attacks:
- Insecure IoT devices pose new risks for everyone. For every IoT device which can be hacked, it is another soldier in a botnet army which could be used to bring down important parts of the Internet. Such attacks can interfere with your favorite sites for streaming, social media, online-shopping, banking, etc. If you own such weak or poorly configured devices, then you could be contributing to the problem.
- IoT devices are valuable to hackers and they won’t give them up without a fight. Although these attacks, with malware like the Mirai botnets, are simple in nature, they will evolve as quickly as they need to for the attackers to remain in control. IoT devices are hugely valuable to hackers, as they empower them to conduct devastating DDoS attacks with little effort.
- DDoS attacks from IoT devices are severe and tough to defend against. Identifying and filtering out attacks from a handful of systems is easy. When faced with tens or hundreds of thousands, it is near impossible. The amount of resources needed to fend off attack is tremendous and costly. A recent attack to knock Brian Krebs’s security-reporting site offline, resulted in Akamai’s vice president of web security to state “If this kind of thing is sustained, we’re definitely talking millions” of dollars in cyber security services to keep the site available. That is powerful. Look for attackers to not give up easily. These always-connected devices are perfect for DDoS botnets.
- Cybercriminals and hacktivists are driving these attacks. There is speculation and fear that nation states are behind the latest string of attacks. That is highly unlikely. Authors of Mirai, one of hundreds of botnets, voluntarily released the code to the public, something a professional government offensive team would never do purposefully. However, it is a good bet that after witnessing how powerful IoT botnets are, nation states are probably working on similar strategies but with much more advanced capabilities. In the short term, cybercriminals and hacktivists will remain the main culprits of these attacks. Over the next few months, expect criminals to find angles which they can make a financial profit, like extortion.
- It will get worse before it gets better. Unfortunately, most of IoT devices that have been deployed to date, lack strong security defenses. The ones being hacked now are the easiest, with default passwords that are published for anyone to lookup. Hacker software simply connects and logs into the device, unless the owner has gone out of their way to change the default password. Unsurprisingly, most have not taken this important step. Instantly, the attackers have another soldier to do their bidding. In order for this situation to get better, several aspects must be addressed. Devices must be designed with security in mind, configured properly, and managed to keep security updated. This will take both technical and behavioral changes in the long-run to keep pace with evolving hackers.
To learn more, read How to Secure the Future of IoT.
Hacking IoT devices is now a problem for everyone. Due to the ease of compromise and massive numbers of IoT devices which are connected to the Internet, cybercriminals and hacktivists have a vast resource to fuel powerful DDoS campaigns. We are just starting to see the attacks and issues around IoT security. It will continue to be a problem until more comprehensive controls and behaviors make us all more secure.