On Friday October 21, 2016, Dyn was subjected to two large Distributed Denial of Service (DDoS) attacks against their internet-address lookup Managed DNS infrastructure. The attackers used Mirai botnets launched from over 100,000 endpoints including cameras, DVRs and baby monitors to generate the significant volume of attack traffic. Affected services included Amazon, Spotify, Netflix and the New York Times.
While this was a significant attack launchedfrom Mirai-infected Internet of Things (IoT) devices, the owners and manufacturers of those IoT devices were not the target. The IoT manufacturers are able to carry on with little to no security on their devices, while consumers continue to buy those devices without demanding better security. Is anything going to change?
Attacks on IoT devices are not limited to DDoS by any means. Those attacks do, however, illustrate some fundamental security vulnerabilities in IoT devices that could be exploited in ways that would impact consumers adversely. Let’s look at a couple of examples.
Connected home security products are becoming increasingly popular. The threat of a vulnerable IoT door lock or garage door is obvious, but internet-enabled security cameras also come with risks. Of course, there is the potential problem of privacy invasion with these cameras, but other threats exist as well. First, if the compromised cameras are on the same network as other devices, then hackers have a foothold into your network and can begin searching for weaknesses in other devices. Second, thieves can use the output from cameras to remotely monitor when the home is empty to plan robberies. Combined with a vulnerable IoT door lock, the connected “insecure” home is ripe for the picking.
It’s great having a smart connected thermostat so your house is the right temperature at all times. And the convenience of internet-connected cameras in your refrigerator is a boon if you aren’t sure if you need to buy milk. But what if gaining access to those devices by hackers is trivial due to poor cybersecurity? Sure, it would be embarrassing for the world to see that your fridge just has mayonnaise and beer in it, but it would be far worse if that vulnerability gave the attacker access to other devices on your network. Or a hacker could turn your heat and over up to maximum temperature, at worst causing a fire or at least costing you money and discomfort.
There is an axiom that hackers go where the money is. According to US government statistics, the number of ransomware attacks increased 300% in 2016 from 2015, with over 4,000 attacks detected per day. So, ransomware attacks on IoT devices is an unfortunate inevitability, as that is the easiest way to extract money out of IoT. With poorly secured IoT, consumers may one day wake up on a cold winter to a thermostat locked at 50 degrees (F) with the display giving ransom instructions. Or maybe a connected car won’t start until bitcoins are sent to the hacker.
Only once consumers start choosing devices with solid security will the manufacturers take notice and take security seriously. If consumers don’t demand security with their purchasing dollars, the government regulators will likely jump in.