The recent Dyn server DDoS attack using a botnet of cameras and other devices points to a growing security problem with the IoT. The attack exploited known vulnerabilities in common internet-connected devices such as cameras, watches, and lighting systems. Taking down a few popular websites was an important warning on network and device vulnerabilities. But this also draws attention to a much more significant issue: What happens when devices become intelligent and autonomous? Without adequate attention to security beginning in the earliest stages of device development, and without security standards, security issues could easily develop beyond our capacity to control them.
Currently, devices tend to have less processing capability and lack adequate security measures.Consumers tend to leave them unprotected. These defects make it possible to create attack systems using thousands of devices. But these attacks are part of a larger problem:
- The growing availability of attack software. Shortly after the Mirai software online attack on Dyn, Mirai was released to the public domain, making it possible for less sophisticated hackers to create effective DDoS attacks using devices. Mirai itself incorporates concepts from predecessors such as Lizardstresser which used a botnet of home routers. These and similar programs are now evolving to create new threats.
- The increasing sophistication of DDoS attacks, and ability to project damaging outcomes using relatively unsophisticated software. Large scale DDoS attacks are growing with available software and bandwidth. According to Akami’s most recent State of the Internet Security Report, the first quarter of 2016 marked an all time high in the number of attacks peaking at more than 100 Gbps.
- The proliferation of devices for popular use, with no effective standards in place for security. Device makers need to respond rapidly to a growing market for consumer devices and security is often an afterthought. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, reaching 11.4 billion by 2018.
- The failure of consumers, businesses, and device manufacturers to emphasize security in the release and installation of internet-connected devices. Devices using default passwords continue to offer the greatest vulnerability to attack.
IoT DDoS attacks are only the beginning of a new and more complex cyber threat environment. Symantec’s 2016 Internet Security Threat Report describes multiple vulnerabilities in 50 commercially available devices, including a ‘smart’ door lock that could be opened remotely online without a password; vulnerabilities in medical devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators, and implantable defibrillators; vulnerabilities in Internet-connected TVs and connection vulnerabilities in thousands of everyday devices, including routers, webcams, and Internet phones due to networking issues. This is before even considering industrial controls and devices that can be used in complex compound attacks.
At the moment, the chief concerns are with potential for havoc with networks. The Spiceworks 2016 IoT Trends survey of 440 IT professionals found one of the top security concerns to be the fact that IoT devices create more entry points into the network (84%) and that IoT manufacturers aren’t implementing sufficient security measures (about 75%). Proliferation of network entry points creates potential for dangerous backdoors, and unsecured devices provide unlimited opportunity for intrusion. While a DDoS attack requires control of thousands of devices; a network break-in requires only one.
As devices get smarter, the dynamics are likely to change and issues will become more serious. Potential for more botnet attacks using strategies well beyond DDoS certainly exists. The range of vulnerabilities will inevitably involve Industrial Control Systems (ICS), as well as an increasing range of autonomous vehicles and robots.
At the present time, the security issues are manageable. Reviewing vulnerabilities in this area and ensuring adequate measures are in place is the best place to start. It is important to consider security usage, device access, and network isolation of devices that might be easily compromised. Device management policies need to be in effect, and need to be constantly adjusted to growing threats. We are beginning to see use of big data and machine learning as a part of the solution, but this needs to be incorporated in a comprehensive program that also focuses upon security awareness and vigilance.
The IoT remains loosely defined, and is growing to include an increasing variety of things, both for consumers and for industry. This can increase confusion regarding possible security issues. Devices include the personal items of which we are all aware; but they also include routers and modems, network equipment, autonomous systems, and the equipment and Industrial Control Systems. Each type of device brings its own security threat, and each unsecured device is a potential recruit to a botnet device brigade. It is important to consider carefully how devices will interact with your business and personal life.
Device makers need to consider security issues from the earliest stages of development, and better standards need to be put in place to ensure that more complex devices do not become a new problem for our increasingly complex networks of connected things.
The latest attacks point to the growing threat from connected devices. But DDoS attacks are the tip of the iceberg. There are direct physical threats to automobile and home systems developing as well. The IoT must be secured; this is of growing importance to business, government, and the individual consumer.