The year 2017 is already shaping up to be one in which 2001 serves as fashion inspiration, Drake wins 80% of all music awards, and everyone you know begins broadcasting their lives on Instagram Stories and Snapchat. Yet somehow one of the worst trends of 2017 has nothing to do with any of this, and everything to do with that awesome new IoT device you bought.
The internet of things
The Internet of Things, or IoT, is the massive network of devices with internet connectivity, usually using internet protocol. The IoT doesn’t include your standard internet-connected devices like computers, tablets and smartphones and instead refers to smart devices like thermostats, washing machines, fitness trackers, CCTV cameras, even microchips in animals. These devices typically feature network connectivity, sensors, electronics and software that enable them to collect and exchange data. It is estimated that there are currently between four and six billion devices in the IoT, with Business Insider projecting that there will be 24 billion such devices by the year 2020.
The internet of unsecured things
The innovation involved in IoT devices is undeniably exciting. But there’s a downside to the IoT, and it’s getting to be an unwieldy one. Both enterprise-level and consumer-level IoT devices are majorly lacking on the security front because while securing a laptop is a no-brainer for most people, putting a password on a smart light bulb or smart refrigerator isn’t.
Not only do unsecured IoT devices leave their owners and users open to hacking and accompanying invasions of privacy and data breaches, but they’re also easy to hijack and use to direct malicious traffic at target websites, servers and platforms for DDoS attacks.
How bad is it?
One thing you can generally say about many trends in internet security is that the average person, one who does not own or run a website or take an interest in internet security issues, can often go through life unaware that these types of threats exist and are wreaking havoc on the online landscape. Until a consumer gets caught up in, say, a Home Depot data breach, ignorance is bliss.
This is not the case with distributed denial of service attacks coming from botnets made up of compromised IoT devices. On October 21st, 2016, the Mirai botnet consisting of IoT devices executed what is being called the Dyn DDoS attack on the Dyn DNS provider, knocking over 60 high-profile internet platforms offline including Netflix, Amazon, PayPal, CNN, Twitter, Reddit, Spotify and Yelp. This wasn’t the Mirai botnet’s first or last high-profile attack, but it demanded the attention of the general public in a way DDoS attacks typically don’t.
The technical details
The attack on Dyn was a record-setting one, weighing in at a staggering 1.2 Tbps – thought to be the biggest DDoS attack in history. Dyn stated that they received malicious traffic originating from approximately 100,000 infected IoT devices. The Dyn attack followed Mirai botnet-powered distributed denial of service attacks that had each previously held the title of biggest DDoS attack, until the Mirai botnet outdid itself.
With so many infected devices to work with, IoT botnets are prime for SYN flood attacks, which online security firm Imperva Incapsula defines as a type of DDoS attack in which a botnet sends TCP connection requests from its myriad hijacked devices faster than the target can process them, consuming server resources and leaving it unresponsive to both malicious and legitimate requests. IoT botnets are commonly used for other types of flooding attacks, including UPD, GRE, ACK and Valve Source Engine query-flooding.
The IoT is only set to get bigger, with billions of devices added to it every year. While the implications of this from an innovation standpoint are exhilarating, internet security professionals are bracing for impact. The risks are so stark that a report commissioned by former US President Barack Obama lists achieving robustness against distributed denial of service attacks and rapidly improving the security of the Internet of Things as two of the biggest cybersecurity recommendations for President Trump.
What he does is of course up to him and his advisors, but consumers are basically receiving the same advice when it comes to the IoT, just on a smaller scale. To do their part in securing the internet at large, consumers need to take the necessary steps to find the default passwords on their devices and change them to something that would be difficult to guess. Changing passwords and pass codes frequently is even better. Consumers should also watch for firmware updates and software patches and implement both as soon as possible to protect against known vulnerabilities.