Assessing The Massive Security Vulnerability Of The Internet Of Things
“The DDoS genie is out of the bottle, and is unlikely to pop back in.”
The increase in connected devices could make 2017 a banner year for cyber attacks.
A report by global professional services company Deloitte said that Distributed Denial of Service (DDoS) attacks will grow in size and scale in 2017, thanks in part to the growing multiverse of connected things. According to Deloitte’s annual Technology, Media and Telecommunications Predictions report, DDoS attacks will be more frequent, with an estimated 10 million attacks in total over the next 12 months.
DDoS attacks are no new phenomena. The potential impact on an organization from this category of cyber threat should never be underestimated, Deloitte said.
The report said that the size of DDoS attacks has increased year-on-year. Between 2013 and 2015, the largest attacks did not exceed 500 gigabits per second. In 2016, there were two attacks that exceeded one terabit per second. Over the next 12 months, the average attack size is forecast to be between 1.25- and 1.5 GBs per second, with at least one per month exceeding 1 TB per second.
On a basic level, the success of DDoS attack is focused on making a website or network resource—a server, for example—unusable. This scenario is achieved by creating a flood of Internet traffic from multiple sources that are launched simultaneously. The website or resource is then overwhelmed, resulting in a suspension of service or access.
For example, an ecommerce website that is hit by a DDoS attack would be unable to sell its products until the attack was contained. At the same time, any exposed vulnerabilities could produce a knock-on effect and take other organizations or websites down with it.
“DDoS attacks are the equivalent of hundreds of thousands of fake customers converging on a traditional shop at the same time,” the report said. “The shop quickly becomes overwhelmed. The genuine customers cannot get in and the shop is unable to trade as it cannot serve them.”
Connected Devices Are An Easy Target
There are several methods for creating this type of chaos but the most common are botnets and amplification attacks.
A DDoS attack generated through a botnet accesses hundreds of thousands of connected devices that have been told to act in disruptive manner via malicious code. An amplification attack also uses malicious code by instructing a server to generate multiple fake IP addresses that are then sent to a website—known as “spoofing”—which then overwhelm that service. Both of these approaches are widely known, although it is the botnet that has become more prevalent.
Irrespective of how widespread the impact is on an organization or network, Deloitte said that three concurrent trends will escalate the potential for DDoS attacks in 2017—the Internet of Things, widely available malware and high bandwidth speeds.
The prime culprit will be the Internet of Things.
Connected devices are notoriously insecure and ripe for being taken over by a third party. The standard way to gain remote access to a device is through a user ID or password, but some people may not be aware that a device’s firmware offers hackers a way in, Deloitte said.
The majority of users are familiar with the need to change user ID and passwords before using a device for the first time, and at regular intervals thereafter. But approximately half a million of the billions of IoT devices worldwide—a small proportion of the total, but a relatively large absolute number—reportedly have hard-coded, unchangeable user IDs and passwords. In other words, they cannot be changed, even if the user wants to.
Hard-coded user IDs and passwords are not an issue provided that a third party doesn’t know what they are. The problem is that they can be easy to find.
The Internet Of Things Is Always Exploitable
Anyone with a degree of programming knowledge can sift through a device’s firmware to discover what these IDs and passwords are, the report said.
In addition, a compromised Internet of Things device may not show any signs of being compromised to its owner, especially if there is no obvious deterioration in performance. Theoretically, millions of devices could be affected without their owners having any idea that the device was part of a botnet, Deloitte said. Consumer confidence in the Internet of Things is aligned with how secure a connected device is, confidence that can be shattered if that device can be exploited with little effort.
For example, the cyber attack on October 21, 2016, that affected the Dyn network was attributed to a botnet that used Internet-connected devices to take down numerous high-profile services that included Twitter, Amazon.com, Spotify, Comcast, Fox News and PayPal. Thousands of connected devices were used in this attack, which is now accepted as one of the largest of its kind to date.
Any company or organization that has a presence on the Internet should be aware that DDoS attacks are not going to stop anytime soon. The report cited several sectors that should be alert to the impact that a successful DDoS attack could have including (but not limited to) retailers with a high proportion of online revenue, video streaming services, financial or professional service companies and online video games providers.
“Some organizations may have become a little blasé about DDoS attacks, however these attacks are likely to increase in intensity in 2017 and beyond, and the attackers are likely to become more inventive,” said Deloitte. “Unfortunately, it may never be possible to relax about DDoS attacks. The DDoS genie is out of the bottle, and is unlikely to pop back in.”