IoT Attacks Open New Cybersecurity Front
The hacker group Anonymous enlisted millions of insecure IoT devices to launch a massive DDoS attack against the United States. It marked the beginning of a new era of security threats and opportunities.
By Larry Walsh
Millions of Americans awoke last week to a cyberspace version of a nuclear holocaust: no access to many popular Websites, including Twitter, Netflix, and Amazon. Outage maps showed huge swaths of the United States affected by a massive distributed denial of service (DDoS) attack that throttled Internet performance.
The world has seen massive DDoS attacks in the past, and the outage map resembled events in which major Internet backbones were disabled. What made this attack different is the source: Internet of Things (IoT) devices.
Anonymous claimed responsibility for launching the attack against DNS servers operated by Dyn. The hackers leveraged millions of insecure IoT devices, ranging from nanny cameras to home monitoring sensors, to flood the DNS server with illegitimate packets. The result: Legitimate traffic couldn’t translate IP addresses and resolve at the proper domains.
Anonymous allegedly launched the attack that affected the East and West coasts of the United States and parts of Europe to protest the Ecuadorian government’s disabling of Internet access to Wikileaks founder Julian Assange. Anonymous, a global network of affiliated hackers, wants DDoS accepted as a legitimate form of protest.
The attack demonstrated two things: The Internet, which the modern world is largely dependent on for every aspect of daily personal and business life, is resilient but not immune to disruption; and the flood of IoT devices attached to the Internet is opening new vulnerabilities and attack vectors that will affect individuals and businesses.
By some estimates, the Internet will have more than 50 billion attached devices – many unmanaged and autonomous. Web cameras, home security and environmental controls, automobile telemetric systems, smart refrigerators, medical monitors, and civil engineering sensors. Seemingly anything that has an electrical current is connected to the Internet.
Inherent vulnerabilities make these devices exceedingly susceptible to compromise. Anonymous used Mirai malware to take over millions of IoT devices to create a massive botnet. Researchers continue to investigate and believe Mirai is only one part of the massive, sophisticated assault. The Anonymous attack against Dyn shows that IoT is building into a major security headache.
IoT is an irreversible trend, and while it won’t amount to the $20 trillion market predicted by certain vendors, sales of devices and associated services will likely top $2 trillion by the end of the decade. This means that tens of millions more IoT devices, regardless of their security posture, will hit the Internet in the next several years.
Despite all the buzz about IoT, Big Data, cloud computing, automation, and mobility, we know that these technology advancements are dependent on two things: network availability – with reliable quality of service – and secure connections. Without those two elements, none of the next-generation technology will work.
Security vendors are racing to figure out ways to secure IoT devices and the infrastructures to which they connect. Several conventional security technologies will help curb exposure to IoT risks. And new technologies will likely emerge to help safeguard against IoT attacks and protect devices from compromise.
A decade ago, security concerns associated with IP-enabled refrigerators were laughed off as supercilious. Today, nobody’s laughing.