It's no secret that cyber-security experts have been raising red flags regarding the potential vulnerability of the Internet of Things (IoT), especially when attacks such as the Dyn® DDoS attack have been discussed since the inception of the term IoT. However, it was only after the Dyn attack at the end of last year that the market started to pay real attention to this issue. So much so that IoT security is a big talking point in the recent National Cyber Security Centre report on ‘The cyber threat to UK business.'
As the IoT grows, many believe that the number of cyber-attacks will grow alongside it—but not in terms of attacks on the technology itself. Instead, there is more focus around harnessing connected devices to target the very “building blocks” on which the internet runs. And this threat is very much plausible, because the devices, sensors, vehicles, and machines that make up the IoT have rarely been designed with security in mind.
The term “Botnet of Things” (BoT) refers to compromised IoT devices that are redeployed for cyber-crime, such as DDoS attacks. While hackers have been infecting all sorts of devices for decades, with IoT on the rise and more devices available for sabotage, there is a new opportunity for profit. Because there are so many devices available to be harnessed, a BoT attack where hackers take control of enough connected devices to attack and overwhelm the internet's critical infrastructure is now a growing reality.
Despite the hype in the market, many question whether the threat is real enough for an en masse call to action. With the Dyn attack the only type of BoT attack taking place in the last year, specialists are worried that the hype is too great compared to the reality. Especially when these types of attacks are hard to execute, even by top hackers.
It raises one important question—should we be alarmed?
The botnet of botnets
Alongside continuous investment and software progress, the main contributor to preventing cyber-attacks will be building devices with security in mind, as demonstrated by Apple®. But alarmingly, more and more mass production of connected devices is happening without paying much attention to security measures. As a result, the most common types of gadgets being targeted are those that are made either cheaply or where security is an afterthought. For example, many digital video cameras fit the mould of “cheaply” made, whereas TV cameras fit the mould of having security built in as an “afterthought.” Most of these devices are running older, terminal software, where vulnerabilities allow things like Mirai to be used.
Some experts are not alarmed by this, as the Dyn attack required 100,000 infected devices and taking control of so many devices on a regular basis is borderline impossible. However, devices that have been part of the Mirai botnet will always be infected. If another attack was to take place, these devices could be called upon as part of the botnet army. Once a device has been infected, it is very difficult to get rid of the virus, making discarding the device the only viable solution.
The business impact of BoT
More and more attacks are being perpetrated for profit. This includes simple attacks such as “click fraud”, but also more complex attacks like using botnets to guess passwords and for bitcoin mining. There is an entire industry built on stealing and selling personal information and even renting time on botnets. However, these high-volume attacks are hard to conduct and it takes more than “off the shelf” malware to control such great device numbers—it also requires skill. Numerous hackers are attacking IoT and Industrial IoT to increase their reputation in the market and showcase their ability to conduct these types of attacks.
There are also downstream effects to think about. If more companies end up conducting click-fraud, using botnets to make people click through to their website and increase ad traffic, the entire ad-driven revenue platform could suffer.
IoT's security pillar is its software
While the industry is figuring out the best way to handle BoT attacks, there are several things consumers can do to protect themselves from becoming part of the BoT. Ensuring consumers purchase IoT devices from companies that prioritise security, and changing the password immediately upon setting up the device, are good places to start. Although there are varying statistics in the industry in terms of how fast an IoT device can become part of the BoT, they are all in the neighbourhood of five minutes so immediately really does mean immediately!
Enterprises should also make sure they are thinking about setting up their infrastructure in a way where they can be highly flexible. For instance, companies that had a hybrid database approach and ran their own DNS servers could not be impacted by the Dyn attack. But the usual security measures, like good patch management practices and tools, should have a strong focus on “detect and remediate.”
Ultimately, the main driver of security improvement will be the fear around how IoT devices will be used by hackers for BoT, which will result in manufacturers building better security software into their products.
This fear is also leading to massive investments in cyber-defence, as ISPs, enterprises, and governments start to pay much more attention to the issue. And in the light of the Dyn attack, ISPs of all sizes are now collaborating to make their defence walls unbreachable.
Understanding the BoT hype
These investments and the associated intense collaboration acknowledge the fact that the cyber-threat is very real. And while specialists are correct in saying the market's defence is going to improve and mitigate the likelihood of the threat, the market must keep in mind that for now it is vulnerable and has not outmuscled the criminals yet. Which means the prospect of a second botnet attack taking place any moment is entirely plausible.
Contributed by Joe Kim, senior vice president and global chief technology officer, SolarWinds
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.