What do security analyst Brian Krebs, French hosting giant OVH and famous gaming company Blizzard have in common? They’ve all been the recent victims of massive Distributed Denial of Service (DDoS) attacks, assaults that involve disabling online services by suffocating them with automated requests. Krebs’ blog was brought down by an unprecedented 620 Gbps flood, OVH suffered a 1.1 Tbps traffic, and Blizzard’s Battle.net service went offline after a sizeable DDoS hit its servers.
While DDoS is nothing new, attacks of this magnitude are, and what’s making them possible are IoT botnets, armies of compromised Internet of Things devices doing the bidding of malicious actors. This means that any connected devices from CCTV cameras installed in streets to a harmless coffee machine sitting in your home can be secretly involved in attacking websites and servers.
Why the shift to IoT?
Previously, malicious hackers formed their botnets with more conventional computing devices such as laptops and desktop workstations. But more recently, IoT devices have become a much more attractive target for “bot herders,” as botnet owners are dubbed. There are several reasons for this shift of interest.
“The sheer number of (ever expanding) IoT devices available to be recruited into a botnet is of great significance,” says Sean Sullivan, Security Advisor at F-Secure Labs. “Most homes will only have a few computers at most. But it’s easily possible to have a dozen or more IP-based devices that can be utilized in a DDoS botnet.”
According to Gartner, more than 6 billion “things” will be connected to the Internet by the end of 2016, a figure that will rise above 20 billion by 2020. And a huge percentage of those devices are suffering from security vulnerabilities.
“Unlike personal computers or servers, most IoT devices are not well protected — or even protected at all,” says Igal Zeifman, a senior manager at cybersecurity firm Imperva Incapsula.
For the most part, IoT devices lack the resources needed to protect themselves against botnet malware. Many do not possess the capacity to run antimalware solutions, while others totally run on firmware and don’t even have a proper operating system to support them, which makes it much easier for bot herders to find and net them.
“Vulnerabilities in the firmware can be exploited and botnet harvesters can script the process of hunting and collecting devices,” Sullivan says. Once a vulnerability is found in a particular type of device, all it takes is a quick query on Shodan to find thousands of potential conscripts for a botnet.
And when it comes to patching vulnerabilities, manufacturers are very slow to react. “Vendors often don’t have incentives to continuously support the security of IoT devices that are meant to be plug-and-play, set-and-forget,” Sullivan adds.
“IoT devices are generally cost optimized,” says Dave Larson, COO of Corero Network Security, “which is a polite way of saying that security is an afterthought. Furthermore, in the residential space, the average user is incapable or uninterested in security and may never apply an upgrade or security patch to the device. So if an IoT device ships with an exploitable vulnerability, it will likely remain vulnerable throughout its lifecycle.”
The fact that the majority of end users will never change factory default settings only makes things worse. In fact, bot herders often won’t need to dig out vulnerabilities in the devices they target. “In nine out of ten cases, IoT devices are made vulnerable through negligence,” Zeifman stresses, referring to previous reports by Incapsula that showed huge numbers of IoT devices were compromised because their owners didn’t change the default login credentials, allowing hackers to break in with ease.
And since the compromised devices are not the direct target of attacks but rather the tool being used by attackers to commit their cybercrimes, it’s unlikely owners will not notice their IoT ecosystem is complicit in a DDoS attack. “People don’t monitor their home networks for such network traffic,” Sullivan says.
Meanwhile, Zeifman warns, many of these devices, such as CCTV cameras and SOHO routers, have untethered access to broadband Internet connections, which makes them particularly suitable for DDoS attacks. “This combination of advanced computing capabilities, high connectivity, and lackluster security makes IoT devices perfect candidates for botnets.”
As a matter of fact, according to sources familiar with the recent spate of DDoS attacks, the botnets that staged them were made up of tens of thousands of unsecure routers, digital video recorders (DVRs), and connected IP cameras.
What needs to be done?
As the trends show, DDoS attacks based on IoT botnets will only grow in future months, and it will take a collective effort to mitigate the threat.
At the manufacturer level, security must become an integrated part of the product development lifecycle. Security updates and fixes must be rolled out periodically after products are shipped, and they must be delivered in an automated and secure way so they don’t disenchant and befuddle users. This is not something that current business models support, F-Secure’s Sullivan says.
But Sullivan also says consumers are as much to blame as manufacturers for the lack of IoT security. Aside from their lack of security hygiene, “people want low prices,” Sullivan says. “They are often unwilling to pay for ongoing security development even if it is an option.” Until consumers demand that security is embedded into the hardware development life cycle, manufacturers would feel no pressure to change their methods.
But some devices will nonetheless remain vulnerable due to their limited storage and compute resources. That’s why, aside from being addressed at the device level, IoT security needs to be dealt with at the network level, Sullivan suggests, a goal that can be accomplished with a new generation of smarter routers that can monitor inbound, outbound, and inter-device connections in home networks and can identify and isolate malicious traffic and compromised devices.
ISPs have an important role to play as well. They must have sufficient visibility into the Internet traffic that is both leaving and entering their networks to identify and block DDoS activity. “Numerous ISPs haven’t implemented security protocols that would limit the power of reflection attacks,” Sullivan says. “IoT bots are therefore able to spoof their target, which causes servers to get involved, amplifying attacks. ISPs need to be nudged to adopt more secure protocols.”
IoT botnets are leveling the cyberattack playground and democratizing destructive forces that were previously at the exclusive disposal of nation-states. Security solutions need to evolve in tandem with the threats in what Zeifman describes as “an infinite cat-and-mouse game.”
Ben Dickson is a software engineer and the founder of TechTalks, a blog that explores the ways technology is solving and creating problems. He writes about technology, business and politics. Follow him on Twitter: @BenDee983.