In the Internet of Things (IoT), billions of connected objects quietly collect and transmit data and perform a wide range of functions, generally without human intervention. Imagine vending machines that tell you when they need to be replenished, vehicles that schedule their own maintenance, and “smart home” products that let you lock your doors, control your thermostat, and peek inside your refrigerator using an app on your smartphone.
The IoT offers virtually limitless potential and the capacity to transform industries ranging from manufacturing to education to healthcare. And organizations are getting on board in a big way. According to Juniper Research, there were 13.4 billion IoT devices in 2015, and that number will reach 38.5 billion in 2020 — a rise of more than 285 percent.
But the IoT has a dark side. On Oct. 21, 2016, numerous websites and services were disrupted by a widespread distributed denial of service (DDoS) attack on Dyn, a domain name system (DNS) provider. Netflix, Twitter, Reddit, and Spotify were among the services experiencing downtime in the attack.
The attackers used malware called Mirai (Japanese for “the future”) to create massive botnets made up of compromised IoT devices. Most of the bots were DVRs and video surveillance cameras that have known vulnerabilities and weak access controls, making it easy and inexpensive to launch a DDoS attack. Cybercriminals use large numbers of devices in a DDoS attack to circumvent security software that blocks individual IP addresses, generating an abnormal amount of traffic.
The attack on Dyn was not an isolated event. According to the Akamai Technologies Third Quarter State of the Internet/Security Report, DDoS attacks increased 71 percent in Q3 2016 compared to Q3 2015, with 19 “mega attacks” that peaked at more than 100Gbps. The two largest DDoS attacks observed to date — recorded at 623Gbps and 555Gbps — used the Mirai IoT botnet.
Mirai doesn’t just turn individual devices into bots; it makes them recruiters for the botnet army. Infected machines continuously scan the Internet looking for other vulnerable IoT devices and attempt to log into them using factory default credentials. Rebooting a device eliminates the infection, but the device will be re-infected quickly if the username and password are not changed.
That’s why the IoT is such an enormous security threat. Many organizations have failed to implement even basic security controls, such as changing the default login and password for the management console on IoT devices. These factory-set credentials are well-known among hackers. In addition, manufacturers are not securing IoT devices to prevent DDoS and other attacks; the Dyn attackers were able to exploit a 12-year-old vulnerability to route messages through the compromised devices.
IT industry analysts say that the IoT will play a larger role in targeted attacks in 2017. These attacks will exploit known vulnerabilities and unsecured systems to disrupt business processes, as we saw with Dyn. Many organizations launched IoT initiatives without considering security implications from the beginning, and must now attempt to reactively patch vulnerabilities.
Just because an enterprise does not have unsecured devices connected to the Internet does not mean they are in the clear. Often, consumer devices such as home routers or wireless security cameras end up being conduits or “malware hosts” as they share a network with a host that has established a VPN connection to a corporate network. Leveraging the peer VPN connection, these unsecured and compromised devices effectively become vulnerable extensions of the enterprise perimeter, increasing the attack surface for the entire enterprise. In our next post, we will discuss the challenge of securing the IoT and the role of identity and access management in reducing IoT threats.