Threat actors have weaponized the Internet of Things (IoT) and connected devices.
They’re using unsecured IoT devices and creating botnets to launch catastrophic distributed denial of service (DDoS) attacks. This has given rise to the DDoS of Things (DoT).
LEARN MORE IN THE DDOS OF THINGS INFOGRAPHIC
Additional information here.
The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:
Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.
Guest post by Ben Dickson. This article originally appeared here.
Following last week’s DDoS attack against Dyn, which was carried out through a huge IoT botnet, there’s a general sense of worry about IoT security—or rather insecurity—destabilizing the internet or bringing it to a total collapse.
All sorts of apocalyptic and dystopian scenarios are being spinned out by different writers (including myself) about how IoT security is running out of hand and turning into an uncontrollable problem. There are fears that DDoS attacks will continue to rise in number and magnitude; large portions of internet-connected devices will fall within the control of APT and hacker groups, and they will censor what suits them and bring down sites that are against their interests. The internet will lose its fundamental value. We will recede to the dark ages of pre-internet.
That might be stretching it a bit, but the idea is that at the moment, IoT botnets are one of the biggest threats to internet stability, and there seems to be no stopping their growth because neither manufacturers nor consumers are concerned with IoT security, and as a result millions of new vulnerable devices are plugged into the internet every day, providing botlords with fresh new conscripts for their zombie armies.
But the silver lining in the entire Dyn episode is that it has served as a wakeup call for companies developing IoT solutions. Shortly after the attack, news broke that hacked products belonging to a certain Chinese electronics component manufacturer were the main culprit behind the Mirai botnet that launched the attack.
The company was forced to recall its products in order to patch them or replace them, which is pretty challenging because it develops and sells white-label products, which means many of its customers might not even know they are using its components. And there will always be some residual damage, as it’s virtually impossible to recall all devices, which means some will still roam across the internet with old vulnerabilities remaining.
Aside from the financial damage and the costs incurred from the recall and replacement, the company has suffered a huge blow to its reputation, and will have to try hard to regain the lost trust of its current and future customers.
This will serve as a warning to other companies that are in a hurry to avoid missing their share of a market slated to grow multi-trillion dollars in the next years, and are shipping out products without testing and vetting them for proper security and reliability. They will finally come to realize that it is within their long term interests to include security as part of the development process, rather than approaching it as an afterthought and focusing on the fast shipment of their products.
Many companies don’t even have the in-house expertise and knowhow of dealing with security issues in connected environments. They’ll have to either acquire the talent or outsource their security procedures. But it’s not something they can do without if they wish to survive the trials that await them.
They will also become more wary of the third party components they integrate into their products. As a result, component makers—like the one that was exposed after the Dyn attack—will also have to be more careful about what they’re selling to their customers.
And they’ll have to provision for the day security flaws surface in their products. Many IoT devices don’t have any means for updates and patch installation. In order to avoid the time-consuming and costly process of recalling products, manufacturers will have to embed over-the-air and online updating mechanisms, which will also make it easier for consumers to keep their devices up to date with the latest patches.
The overall result will likely be a slowdown of the IoT gold rush, which is a good thing. Newcomers as well as veterans will have more time to think meticulously on the design of their products and put more energy into securing their devices and preparing them for future developments and changes. Improved resilience and flexibility will be a positive byproduct of the process.
All in all, although the Friday’s attack was painful, it will help mature the IoT industry. From now on, manufacturers will either have to bake-in security into their products, or will have to wait for a security disaster to force them to either go out of business or fix their mess. Any rational mind will choose the former.
So things are not as bad as they seem. This is what I call the self-regulation of the IoT industry. Wonderful, isn’t it?
FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK
Guest post by Ben Dickson. This story originally appeared here.
The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today.
On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.
The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.
While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.
This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.
The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.
For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.
And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.
But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.
As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.
And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.
Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.
So whether you care about IoT or not, it’s in your interest to see it secured.
And as much as I love IoT, I’m sad to see the industry destroying itself.
So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:
Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.
What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.
There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.
How do you think we should deal with IoT security problems? Share in the comments section.
Over on MotherBoard, noted cryptographer, computer security and privacy specialist, and writer, Bruce Schneier pens his thoughts on the recent gaping holes in security for Internet connected devices. When Bruce speaks, people listen.
First, if you haven't been following the recent DDoS attacks using IoT devices, read this. In short, IoT devices have been comprised to attack networks.
It's so bad that Bruce is calling out the IoT market for failing to secure their devices and machines that connect to the Internet and is asking for government intervention.
He writes:
What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
He continues that security has been built into many our computers and smartphones because there is money to invest in security, the same can't be said for low margin embedded systems like digital video recorders or home routers. Security is not their expertise. Even worse, he adds, most of these devices don't have any way to be patched.
He argues the market can't fix this because neither the buyer nor the seller cares. Government must step in and solve the problem says, Schneier.
What do you think?
Full article on Motherboard here.
EDITOR'S NOTE: This story originally appeared on the A10 Networks blog.
A pair of distributed denial-of-service (DDoS) attacks against high-profile targets last week rank among the largest DDoS attacks on record. And a common thread has emerged: these attacks are leveraging botnets comprising hundreds of thousands of unsecured Internet of Things (IoT) devices.
European Web hosting company OVH confirmed last week that it suffered a string of DDoS attacks that neared the 1 Tbps mark. On Twitter, OVH CTO Octave Klaba said the attacks OVH suffered were “close to 1 Tbps” and noted that the flood of traffic was fueled by a botnet made up of nearly 150,000 digital video recorders and IP cameras capable of sending 1.5 Tbps in DDoS traffic. Klaba said OVH servers were hit by multiple simultaneous attacks exceeding 100 Gbps each, totaling more than 1 Tbps. The most severe single attacks that was documented by OVH reached 93 million packets-per-second (mpps) and 799 Gbps.
Last days, we got lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the
— Octave Klaba / Oles (@olesovhcom) September 22, 2016
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
SC Magazine UK quoted security researcher Mustafa Al-Bassam as saying the DDoS attack against OVH is “the largest DDoS attack ever recorded.”
The OVH attack came on the heels of another gargantuan DDoS incident, this one targeting respected cybersecurity blog Krebsonsecurity.com, which knocked the site offline for several hours.
“The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor,” Brian Krebs wrote, adding that he has since implemented DDoS protection from Google’s Project Shield.
The attack on Krebs clocked in at a massive 620 Gbps in size, which is several orders of magnitude more traffic than is typically necessary to knock most websites offline.
SecurityWeek reported that Krebs believes the botnet used to target his blog mostly consists of IoT devices — perhaps millions of them — such as webcams and routers that have default or weak credentials.
“There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things,’ (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords,” Krebs wrote.
Reports indicate that the attack was in response to Krebs reporting on and exposing vDOS, a service run by two Israelis who were offering a DDoS-as-a-Service play and were arrested after Krebs’ story was published.
Security researchers have warned that improperly secured IoT devices are more frequently being used to launch DDoS attacks. Symantec last week noted that hackers can easily hijack unsecured IoT devices due to lack of basic security controls and add them to a botnet, which they then use to launch a DDoS attack.
“Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected,” Symantec wrote. “Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.”
And while DDoS attacks remain the main purpose of IoT malware, Symantec warned that the proliferation of devices and their increased processing power may create new ways for threat actors to leverage IoT, such as cryptocurrency mining, information stealing and network reconnaissance.
