Concerns around internet-of-things security are not new. The Federal Trade Commission has held a workshop on the issue. A collection of global data protection regulators have spent a year conducting a global sweep of connected devices, finding many fall short on privacy. The Department of Commerce’s newest self-regulatory initiative focuses on security upgradability and patching. The Online Trust Alliance recently found that 100 percent of recently reported IoT vulnerabilities were avoidable. There are nonprofits dedicated to the security of IoT devices.
Much of the thinking around securing such devices has revolved around preventing personal data leakage (think: unprotected webcams), remotely updating security vulnerabilities, or device hijacking. All of the issues are serious and must be addressed by companies offering related products.
But late last week, a new reality reared its ugly head and is just as concerning: IoT-fueled, DDoS zombie armies.
Like IoT devices, DDoS – or distributed denial of service – attacks are nothing new. But put them together, and we have a serious issue.
That threat was demonstrated late last week by the take down of well-known infosecurity website KrebsOnSecurity. Run by investigative reporter Brian Krebs, the site has faced some of the strongest and most advanced DDoS attacks ever measured. (The attacks have grown even stronger since the original writing of this blog post.)
According to Akamai, a security company that had previously provided Krebs with pro bono protection until these attacks forced it to back away, the site faced 620 Gbps attacks – meaning 620 gigabits of data being sent to Krebs' server per second, an attack that was twice the size as any attack Akamai had witnessed before. With such strength and longevity, the company had to pull away from protecting the site as it was costing too much and affecting their paying customers. And though Google stepped in by offering Krebs its Project Shield service – a project designed to protect news sites from digital attacks – a disturbing reality is here.
IoT devices are massively increasing the strength of DDoS attacks.
By Monday afternoon, Krebs was back online. That’s great news, of course, but is a clear harbinger of the threats that are emerging and the challenges websites – and not only news sites – will face. Just imagine such DDoS attacks on government or e-commerce sites. It will likely happen.
Krebs, rightly and naturally, focuses on what he calls the “democratization of censorship,” noting that such powerful DDoS attacks can be run by any Joe-Schmo to stomp on free speech. This has the makings of a trolls-on-steriods paradigm shift. Just think, any semi-sophisticated ne'er-do-well with an ax to grind could single-handedly take down your site and dip into your bottom line.
The powerful DDoS attack on Krebs appears to have used a large number of hacked IoT devices, particularly routers, IP cameras and digital video recorders. These internet-connected devices tend to be cheap and protected with weak passwords.
Mitigating such massive enslavement of IoT devices will take a concerted effort from multiple industries. Krebs points out the role internet service providers must play at the platform level, including the need to implement the so-called BCP38 standard (for more on this, check out Krebs’ detailed explanation mid-way down here).
It’s not just up to ISPs to help fix this issue, though. IoT device manufacturers, programmers and developers all have a role to play as well. According to a new report from Symantec, DDoS attacks via IoT devices are on the rise, many of which infect Linux-based firmware commonly used in embedded and IoT devices. Symantec’s report also reveals that most of the vulnerabilities in these embedded systems derive from a “lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials.”
Boom. An IoT zombie botnet is at hand.
A couple of weeks ago, security researcher Bruce Schneier posted a piece called "Someone Is Learning How to Take Down the Internet." He discusses the rise of sophisticated DDoS attacks on some of the world’s most advanced tech companies. Though he remained mum on exactly what companies were facing rising DDoS attacks, he hints that such attacks are the work of nation-states – perhaps China or Russia – in a geopolitical attempt to test what it would take to dismantle U.S. critical infrastructure.
But it’s also important to realize, as Krebs points out, that insecure IoT devices make it easy for anyone with a little technical know-how to wreak significant havoc.
True, much of the solution will rely on a concerted effort across industries, but there are little things companies can do to stymie enslaved IoT armies. Build more controls into products, make consumers aware of the privacy and security issues with each device – yes, even the small, seemingly insignificant ones! – and take part in initiatives like the one about to get underway with the DoC’s National Telecommunications and Information Administration multistakeholder process on IoT security upgradability and patching. The first meeting will be held on October 19, in conjunction with the Consumer Technology Association’s Technology & Standards Forum.
I’m sure there are many more initiatives underway. I’d love to hear about them, so please share them below in the comments section, or drop me a line via email.
The internet is allowing for amazing innovation and profits, but if we’re not careful, much of what is great about the internet and all our innovations could come tumbling down.
Update: October 3, 2016: An earlier version mistakenly said "gigabytes" instead of "gigabits."
photo credit: gruntzooki Webcams, computer mall, Shenzhen, China.JPG via photopin (license)