September and October 2016 have been interesting months for many in the cyber security world. The Internet, and more specifically users of it, have long had to deal with a type of threat called a Denial of Service, or DoS. Over the years this has taken several nuanced forms, but has remained a concern, especially for businesses that depend on being online.
One form of DoS is the Distributed Denial of Service—or DDoS for short. DDoS attacks consist of multiple computers performing a synchronized attack against a target or group of targets. Most usually, this comes from so-called Botnets (short for ‘robot networks’)… armies of computers that hackers have taken over, usually without the computer owners knowledge. These Botnets can be commanded en-masse to send traffic across the Internet to their target. This can overwhelm the Internet connections that the target relies upon and causes the target service to be unable to answer legitimate requests. In effect, the service goes offline. If you’re a business where much of your revenue comes from Internet services, this is a major worry.
As if things weren’t bad enough, now comes a new worry. Botnets exist not only of PCs and servers, but of ‘Internet of Things’ (IoT) devices: Smart TVs, Light Bulbs, Home Security systems and a wide spectrum of other gadgets. As manufacturers rush to build ever more Internet-connected-widgets, we lose sight that these ‘smart’ devices are really just ‘dumb’ computers.
In the computer industry, we’re learning how to deal with security threats. Your average PC has amazingly complex defenses designed to make sure hackers have a tough time. Certainly, talented attackers (many times aided by ‘tricked’ computer users) still pose a problem. But consider many IoT devices have little-to-none of these defenses.
On September 20th, prominent cyber security journalist Brian Krebs found his blog was the target of a massive DDoS attack. Not by hacked PCs, but by hacked IoT devices. The Botnet in question was called ‘Mirai’. It sent so much traffic to Mr. Krebs hosting provider, that his site buckled and collapsed. No mean feat considering the site was hosted by one of the world’s leading providers of DDoS protection!
A few days later, and French hosting provider OVH was victim to another attack from IoT devices… even bigger than that faced by Krebs. In fact, it was the largest DDoS attack ever recorded on the Internet and overwhelmed even the best countermeasures. Again, the attack traffic came from hacked cameras, thermostats, TVs and more.
The code for the Mirai Botnet was made available for free. This means any hacker can be up-and-running with a Botnet army in minutes.
October 21st, and a Mirai Botnet led attack hits a major Internet DNS (Domain Name Server) service called Dyn. Major companies such as Twitter, PayPal and Spotify rely on Dyn to point visitors to their online services. When Dyn was hit with a DDoS attack, it didn’t just take them down, it took down all their customers too.
So what can we do about this problem? Clearly IoT devices are here to stay, but as consumers we’re usually focusing on the price rather than the security. Manufacturers are taking every shortcut they can to save a dollar, sacrificing decades of good security practices. Many devices that have been hacked in the Mirai Botnet for example simply can’t be fixed—the security flaw is permanent. Unless the device is physically disconnected or thrown away, the problem will exist forever.
IoT device manufacturers are going to have to revisit some of their decisions, else it’s likely we’ll see some form of regulation to avoid dumb IoT devices from being used to break the Internet. Yes, it really is that serious… and no, we don’t really have an answer right now!
- Log in to post comments