Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.
Nontraditional risks
The estimates vary, but they suggest between 20 billion and 30 billion of these systems will be connected by 2020. With the explosive rise of IoT, the focus has been primarily on hackers taking over devices and controlling them. Many of the risks highlighted in the past year has been in the transportation sector. Cars being hacked and control surfaces such as breaks, steering, and acceleration compromised. The prospect of exploitable vehicles, under the command of others, is a scary proposition. Security researchers are showing what risks are possible. Such real-world attacks put people’s lives at great risk. Automobile manufacturers and government safety organizations are working fast to get ahead of any real-world attacks. High-profile transportation exploits are but a sliver of the IoT world. These devices are everywhere and deeply influence our lives, as they are woven into health care, industry, retail, manufacturing, and entertainment.
Connecting things to the Internet is the latest craze, allowing users the pleasure of remote control and monitoring of everyday devices—from cooking appliances, lights, home cameras, sports gear, electronics, sprinklers, and anything else one could imagine. They are becoming commonplace in homes, hospitals, office environments, stores, and all manner of vehicles. It seems that any normal device becomes even better if you can remotely connect to it. This is how we get the rapid growth of devices communicating over the Internet. But all these machines, some as simple as a rice cooker or as complex as a Tesla, can all send information. In this capability is where trouble now brews.
During the past year, savvy hackers have seen the growth of IoT devices coupled with their apparent vulnerabilities, to be the next great opportunity. Designers are quick to get products out the door, but less serious about actually securing their wares. Who cares if a kitchen appliance connects to the Internet? Hackers, that’s who.
Bot herders, as they are known, are always looking for machines to take over and control. In the past they typically targeted PCs and servers. They hack the systems and install control functions that allow them to command their herd and conduct massive DDoS attacks. This pool of bots, which could exceed tens of thousands in number, follow instructions given by their herder. By having the entire herd stampede a targeted site with massive network requests, they can overwhelm sites and services to the breaking point. The more systems that take part, the greater the potential impact.
The problem, for hackers, with PCs is that they are becoming better defended every day. Antimalware tools are pretty good at detecting problems and evicting botnets. IoT devices typically lack any sophisticated defenses; many are shipped with a default administrator password that can be found in online documentation.
Welcome to the party, IoT. IoT devices tend to be much less defended and almost entirely unmonitored. When was the last time you inspected the outbound traffic from your home security camera, DVD, thermostat, or wireless router? If you are like most folks, never. How would you know if they were hacked and under the control of some cybercriminal or hacktivist? You wouldn’t. That is exactly why they are a great target. Poorly defended, always online, and almost never patched. Perfect victims. Soon there will be billions of them.
Gartner predicts by 2020 that more than 25% of attacks in enterprises will involve IoT devices. In the business world, IoT is a weak link. Spending for IoT security is expected to rise to $840 million by 2020 from $281 million in 2015.
Recent attacks escalate
The future is already here. Simple IoT devices are being hacked in massive numbers and used as part of botnets to conduct DDoS attacks. Earlier in the year, more than 25,000 closed circuit television cameras and digital video recorders were controlled to attack small businesses. More than 50,000 HTTP requests per second flooded in, for days. That is the power of having many sources which are always online.
A popular botnet engine, LizardStresser, has expanded to embrace the power of IoT devices. LizardStresser has been used to create more than 100 botnets in the past year. In July, one of those botnets was leveraged to generate attacks exceeding 400Gbps against commercial targets. They did so without amplification techniques, which normally inflate attacks from a few powerful systems to be more impactful. This was an expression of raw power.
During the Olympics another IoT botnet upped the flow of malicious traffic to 540Gbps in an attempt to bring down services at the venue.
Earlier this month, the French hosting firm OVH reported two concurrent DDoS attacks with a combined bandwidth near 1Tbps (1,000 Gbps). One of the two attacks peaked at 799Gbps, making it the largest ever reported. According to the CTO, Octave Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the attacks was 145,000 hacked DVRs and IP cameras.
Most recently, the site of renowned cybersecurity researcher and reporter Brian Krebs was targeted with a highly complex DDoS attack. The attack escalated to the point that Akamai’s web service felt it was no longer financially prudent to support Krebs as a pro-bono customer. Previously, Akamai stated the largest attack they had seen this year was 363Gbps. The attack against Krebs’ site almost doubled that amount at 620Gbps, making it the largest DDoS attack Akamai had encountered.
Based upon the attack’s size and complexity, Josh Shaul, Akamai’s vice president of Web security, told the Boston Globe “this is the worst denial of service attack we’ve ever seen” and added that it might be the worst in Internet history. The costs to Akamai were tremendous. Shaul said “if this kind of thing is sustained, we’re definitely talking millions” of dollars in required cybersecurity services.
Krebs is back online, with a new DDoS protection provider. Heavyweight Google runs a free program, Project Shield, to protect journalists from online censorship. This will pose an interesting match-up: DDoS botnets, powered by a growing IoT community, against one of the most innovative and powerful Internet companies.
Let’s see if the Google powerhouse can withstand the DDoS onslaught that we all know it is coming. I believe if they cannot, they will do what they do best and innovate. Nobody does Internet innovation better or with more resources than Google. We may see new technology, protocols, and DDoS protection solutions as a result of this struggle. I am excited either way to sit ringside.
A turning point for IoT security
The world of IoT security is changing, fueled by a sharp rise in the size and complexity of DDoS attacks. A new reality is emerging, in which the risks are no longer limited to attackers taking control of devices, but are also exploiting these systems to conduct extremely powerful DDoS attacks. Pointed at critical systems such as banking, telecom, and government services, these attacks pose a grave risk to online capabilities that people rely upon. Such power could be wielded by malicious attackers to the detriment of everyone, just by taking advantage of the billions of weak IoT devices they can get under their control.
IoT botnets will continue to rise. Right now they are an easy resource to harvest. IoT device manufacturers must act now to build in better security capabilities and controls. This must start with internal prioritization and security teams who own the architecture and design, define testing parameters, and actively manage post-release issues. Otherwise these systems, massive in number, can cause global impacts not easily remedied by currently available security solutions. This era may usher in the next generation of DoS attacks, extortion, free-speech manipulation, and nation-state cyberwarfare tactics. The stakes are higher in this new game of IoT botnets.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.