If the large-scale DDoS attack that hit in October taught us anything it’s that we face a massive amount of vulnerability with regards to internet-enabled smart devices. This “Internet of Things” (IoT) infrastructure has evolved into a wild west scenario where open protocols for device connectivity have exposed a frightening loophole into the system that hackers can easily exploit.
This begs the following questions: how did this happen, and what can we learn from this experience? Should we be rethinking our approach to device connectivity? And, more importantly, what is the likelihood that this will happen again?
How did the DDoS attack happen?
On October 21, 2016, a distributed denial of service (DDoS) attack was directed at the servers of a company called Dyn, a prominent provider of DNS services to a large contingent of big players on the internet.
The first wave hit at around 7:00am and was resolved before a second wave hit around noon. The attack was elegantly simple: flood the servers with bogus requests from millions of different sources, completely disrupting operations.
The problem with targeting an organization like Dyn is that so many other services rely on it to resolve DNS queries. According to Roland Dobbins, an engineer at Arbor Networks via Wired Magazine, “DNS registrars typically provide authoritative DNS services for thousands or tens of thousands of domain names, and so if there is a service-impacting event the collateral damage can be very large.”
The result of the hit on Dyn’s DNS servers was that several large portals become unresponsive. The more popular sites impacted by the outage, included Twitter, PayPal, Tumblr, Spotify, and Reddit.
DDoS and IoT Devices
The malicious attack exploited an area of weakness in the online sphere; namely the millions of unsecured connected devices that we tend to take for granted.
Most of the key culprits were innocuous items such as routers, surveillance cameras, DVRs — anything that connects to the internet. The attackers took advantage of the lax security protocols of these devices to upload botnets (pieces of malicious code that drive traffic toward an intended target, in this case, Dyn).
The way they were exploited was remarkably simple. The attackers aimed their sights on devices whose users had failed to change the default passwords. These passwords were of course well known to the hackers. In fact, as many as 15% of home routers are unsecured, leaving millions of potential access points for malicious botnets to take advantage of.
It’s estimated that by 2020, the amount of internet connected things will reach 50 billion. With so many of these IoT devices scattered across the globe, it’s easy to get frightened at the thought of so many vulnerabilities.
What is the future of IoT security?
The main initial takeaway from the Dyn DDoS attack is that we are less secure than we think due to careless connectivity habits. While billions of dollars are spent annually securing our computers and mobile devices, the IoT are generally left out of the thought process.
Device manufacturers and those installing them clearly need to take a hard look at the vulnerabilities inherent in these devices and how they impact the overall safety of your infrastructure.
The concern with IoT devices doesn’t end with the ability to launch DDoS attacks. There are legitimate security issues that have some security experts worried, from children’s toys that allow criminals to access home networks, to bathroom scales that can reveal private information.
The good news is that both governments and industry recognize the inherent threat that unsecured devices represent. Even the auto industry has been concerned about the potential for its vehicles to be hacked and has taken steps to provide more robust security.
Case in point: Gemalto, a company that cut its teeth providing security measures for the payment card industry, will offer its Secure Element technology to car manufacturers and has plans to roll it out to other industrial sectors.
There is currently a patchwork of legislation that applies to the IoT, but there is still a ways to go. The U.S. Senate is examining the issue and is trying to strike a balance between allowing unfettered connectivity and securing vulnerable connections. It remains to be seen whether any meaningful regulations will result.
DDoS and IoT: What can we learn?
As governments and industry struggle to find a way to adequately secure the IoT, the risk of future vulnerability is a real one. In the meantime, there are several steps IT professionals can take to ensure that they are doing their part in contributing to the security of the IoT. Specifically:
- Ensuring that default device passwords are changed
- Ensuring that home and business internet networks are properly secured
- Checking that routers are being updated by internet service providers
- Becoming familiar with privacy protocols and policies associated with specific hardware and software within the IoT
Businesses can do their part by taking a few simple steps that will help to secure their devices and make them less vulnerable to malicious attacks.
And until governments and manufacturers become more fully engaged with IoT vulnerability issues, the landscape suggests that hackers will take advantage of any potential avenue to launch botnet attacks.
When you need strategic IT services to strengthen your network and tighten your security, PCM Canada has the tailored solutions and services to bolster your infrastructure. Contact us to learn how our expertscan help your business thrive—safely.