IoT DDoS – When Will We Learn?

IoT DDoS – When Will We Learn?

In late September and late October 2016 two massive distributed denial-of-service (DDoS) attacks successfully targeted and impacted the operations of their targets. In the October DDoS against Dyn, a cloud-based Internet Performance Management company, several high profile organizational websites (Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, to name a few ) for a substantial part of the day. While Dyn was ultimately able to mitigate the three-wave attack, it did impact users’ abilities to access these sites.

In both instances, attackers took advantage of generally insecure Internet of Things (IoT) devices and harnessed the volume to create large botnets able to launch substantial DDoS attacks. These are not the only two instances in which enterprising criminals sought to leverage IoT in fulfillment of their activities. Both in September and June 2016, IoT devices such as home routers and closed circuit television cameras were used to proliferate the attacks. This is very disconcerting given the fact that IoT as an industry is becoming a foregone conclusion and that more and more of these devices are being produced, marketed, and injected into our daily existences. Unsurprisingly, this is a market expected to continue to grow and is frequently cited as a top trend according to some sources.

On one hand, the IoT is an escapable foregone conclusion: the more products and devices are upgraded with technologies, the more IoT makes its presence known in our lives. Indeed during 2015, the IoT gained significant traction and momentum across a range of industries, a trend that is expected to continue for the foreseeable future. According to one source, the manufacturing ($165 billion) and transportation ($78 billion) sectors led the word in IoT spending in 2015 with insurance, healthcare, and consumer verticals estimated to quickly catch up.

With more devices coming online in the era of the Internet of Things, what’s disconcerting is the fact that any device can be leveraged to conduct such attacks. Moreover, there is currently not a way to monitor the various IoT items that are Internet accessible, thereby making any seemingly benign device a potential collaborative aide for hostile actors. What the Dyn attack and the Mirai before that has demonstrated is that even the most seemingly benign devices can be harnessed to inflict a specific effect. What’s more, the Dyn incident shows that it is not necessary for hostile actors to go after high profile organizations’ websites, but applying a “works smarter not harder” ethic, try and determine if a third party company is in charge of managing several websites and going after it.

However, the problem in trying to address security in IoT may be easier said than done. Industries within that space need to collectively come up with standards and regulations and compliance measures. This is no easy hurdle to be sure. But despite the seemingly daunting challenges these few initiatives face, to do nothing is nothing short of negligent in this day and age where breaches are getting larger with more and more data being compromised and put at risk. As we move to the end of 2016, what has been evident is that trying to address security after the fact has proven a largely ineffective endeavor. With an approximate number of IoT devices in all industries estimated at 6.4 billion by the end of this year, by the time any progress is made in “catching up” will likely be wasted with newer technologies being produced, and older legacy ones no longer being supported.

As the adage implies, “if you don’t learn from history you are destined to repeat it,” so our high information technology existences eagerly seek to provide the latest devices to be incorporated into our lives without giving a thought to have to secure it; or as consumers, how the public writ large can ensure the security of the devices in their homes. Regardless of the amount of cyber breaches resulting in the loss of millions of sensitive financial or personal records that have garnered significant global attention, convenience and ease of use still appears to champion the fundamental aspects of information security – maintaining confidentiality, integrity, and availability of the information systems and the information resident on them. IoT should be more than just the next evolution in better streamlining our experiences and workflows; it needs to provide better protection to instill confidence in the very technology that is trying so desperately to improve our lives.

This is a guest post written by Emilio Iasiello.

Tags: , , ,