The Internet of Things opens up huge opportunities. Also for the bad guys. The network of connected machines, devices and systems offers new tools and methods to cybercriminals for doing their bad trades. We ain’t seen nothing yet.
Much of the ‘funny’ or enigmatic e-mails most of us find on a daily base in our in-boxes contain attachments or hyperlinks that are meant to infect our computers with malware. If this succeeds, your or my computer may become under control and command of cybercriminals. In most cases, those have built a huge network of zombie computers – maybe one of that is mine or yours – that can be used, or even rented, for performing huge Distributed Denial of Service (DDoS) attacks. Targeted computers, web sites or systems will drown into a tsunami of service requests. The success rate of this kind of criminality has decreased the last years, as users have become malware savvy. Also, they are better supported by antimalware software. Cybercriminals have therefore shifted their focus to ‘dumb’ devices that are connected to the internet to plant their malware. In many cases, those devices are never designed with security in mind. With the right tools, they are easy to find, to access, to infect and to control.
This approach can be very successful as the case of security journalist Brian Krebs reveals. Krebs suffered from a DDoS cyber-attack on his website after publications about the cyber-crime syndicate vDOS that runs and exploits huge zombie networks. vDOS’s retaliation attack broke with 1Tbps all records, by using the Internet of Things (IoT) for launching a cyber bombardment. The IoT consists of billions of poorly secured home-garden-and-kitchen appliances. Krebs was attacked by approximately 120,000 webcams, routers and printers. Shortly after, a VDOs attack by 150,000 units was reported by another victim. Hacking of those ‘smart’ devices was quite easy as manufacturers equip the machines with default passwords like “admin” and “12345” that in most cases are not changed by the user after deployment.
In the meantime, not only cyber criminals have discovered DDoS as a weapon of mass destruction, also governments and companies have leveraged DDoS as a method to drown unwelcome opinions of dissidents or to bring down the digital operations of competitors. Those DDoSs can be very targeted, also to other IoT devices. The life of a CEO in a connected car, of a politician with a pace maker, or of residents living behind a networked water sluice may be at stake.
It is difficult to remediate this kind of massive attacks on this scale, and it costs dearly. For smaller organizations or individuals, it is almost impossible to divert DDoS attacks at moderate costs. What can be done from an enterprise network design perspective? Scale-up: bigger networks can handle volumetric DDoS much better. Clean-up: monitor and clean traffic on the network’s perimeter in multiple distributed points. Diverse: geographical diversity brings priceless benefits: fragmentation of traffic volume prevents the build-up into highly volumetric DDoS attacks to the single network node. Upgrade: firewalls can be teached to recognize more types of flood and suspicious behaviors in the traffic flow.
The Krebs case was a real wake-up call. But legislation, supervision, self-regulation by the industry, even a IoT hallmark are not yet on the horizon. Policy makers and the industry now must gear up security as it is now becoming a matter of life and death.
Is your IoT network DDoS proof? Contact us at firstname.lastname@example.org