sponsored

Poorly Secured IoT Devices Prove a Potent Weapon for DDoS Attackers

Last year, 2016, was the year that distributed denial of service (DDoS) attacks really lived up to the “distributed” part of their name. Why? Because a scenario long predicted, and feared, finally materialized in a big way.

istock 91597321 large
istock

Last year, 2016, was the year that distributed denial of service (DDoS) attacks really lived up to the “distributed” part of their name. Why? Because a scenario long predicted, and feared, finally materialized in a big way. Attackers started to exploit the massive – and poorly secured – Internet of Things (IoT).

In late October, DNS provider Dyn suffered the largest DDoS attack yet seen. Its servers experienced simultaneous attacks that, combined, deluged them with over 1.2 terabyte-per-second of data. The source of the attack – a botnet that first infected and then directed more than 150,000 simple IoT devices, including Internet-connected cameras and DVRs.

The assault Dyn suffered was the largest, but just one of many massive IoT-based DDoS attacks that have occurred during the past year. Future attacks of this type may dwarf those we’ve seen so far. After all, Gartner estimates there will be about 8.4 billion connected IoT devices worldwide by the end of this year, a number that will grow to 20.4 billion by 2020. Meanwhile, a recent survey of more than 1,000 business and IT decision makers worldwide found that 78% of the responding organizations already have IoT devices and applications in active use.

The numbers of IoT devices deployed is only part of the story. As or more important is the fact that many of these devices have little or no security protections. Some IoT devices are too simple to support on-board security controls, while others have controls – such as password protection – that are often poorly used. A common flaw exploited by DDoS attackers, for example, are IoT devices with factory-default passwords such as “1234” that have never been changed by the device owners. 

Because many IoT device manufacturers continue to place security on the back burner, it’s up to those deploying IoT solutions to make IoT security a top priority. At a device level, that means more than just avoiding the use of default passwords. Buyers should also look for devices that can be updated with software or firmware security fixes, that have no backdoors, and that come with good manuals and support services from the vendor, for example.

Still, one long-standing best practice – the need to have multiple layers of security – has become even more pressing in the age of IoT. Even if most device manufacturers and users begin to take IoT security more seriously, there will be millions of vulnerable IoT devices in action for the foreseeable future. That means that organizations need to ensure they have network, data center, and cloud-based security defenses in place that can make up for the inevitable shortcomings that will persist at the device level.

Finally, when considering IoT device security, it’s important to realize that enlistment as part of a DDoS botnet is just one of the risks organizations face – both to themselves or, more likely, to some third-party victim of an DDoS attack. Most frightening: because many IoT sensors and controllers bridge both the cyber and physical worlds, attackers who gain control of those devices can potentially cause physical damages and even deaths. Nightmare scenarios such involving IoT controlled smart cars, factory robots, or nuclear plant cooling systems are no longer only in the realm of science fiction. Just one of many reasons to take IoT security to heart.

Copyright © 2017 IDG Communications, Inc.