Marc Wilczek, COO of Link11, explores the rise in DDoS exploits that use massive botnets of IoT devices to target businesses and offers advice on how to mitigate the threats.
This year marks a significant anniversary in cybersecurity: it’s 20 years since the first DDoS attack, which took place in July 1999 when a computer of the University of Minnesota in the USA was attacked by a network of 114 other computers running the program Trin00.
By coincidence, 1999 was also the year in which the term ‘Internet of Things’ was coined by Kevin Ashton, Executive Director of the Auto-ID Center. Back then, the Internet was a very different place: there was an estimated 250 million Internet users in 1999, compared to the 4.4 billion today. The number of Internet-connected devices has also exploded to 26.66 billion and together these changes have grown the DDoS threat exponentially.
According to Avast’s Smart Home Report released earlier this year, 40.3% of homes worldwide have more than five connected devices – such as printers, smart TVs and more – of which at least one is vulnerable to attack. The problem is that the security requirements of IoT devices are often neglected, making it all too easy for a threat actor to access the devices and abuse them for their own purposes. The majority of IoT devices do not have security mechanisms such as anti-virus or firewall protection. Instead, device manufacturers rely on the device owners to ensure security is applied.
In the case of networked household appliances, there is also no preventive defence against attacks. The access control – if any – usually only takes place with factory pre-set usernames and passwords, which means that cybercriminals can employ brute-force methods to infiltrate target devices. And many device users rarely have the expertise to check whether their security camera, TV or refrigerator has been compromised.
Giant botnets = mega-scale attacks
This low level of security makes it easy for cybercriminals to hijack devices and recruit them into massive botnets, which can be used to launch ultra high-volume DDoS attacks. One of the most notorious botnets is Mirai, which was the first of its kind to use the IoT to carry out DDoS attacks. The vulnerabilities of the factory software on consumer IoT products were exploited to plant malware on over 600,000 devices, allowing hackers to use and abuse the devices as they wished.
This massive botnet marked a step change in denial of service attacks and was used to launch assaults of unprecedented size.
At the beginning of June this year, another Mirai variant became known, which attempts to infiltrate wireless presentation systems, SD WANs and home controllers via multiple new vulnerabilities. From there the IoT botnets are used for cryptomining, spreading malware and spam and, of course, DDoS attacks.
Furthermore, in addition to the offshoots of the Mirai botnet, new types of IoT botnet are emerging targeting the network protocols used by IoT devices. One variant targets the Simple Services Discovery Protocol (SSDP) which is used by many IoT devices to search for Universal Plug and Play (UPnP) devices or wirelessly networkable products – enabling the botnet to recruit devices and grow automatically.
Regulation: Too little, too late?
What, then, can be done? Some jurisdictions, such as the State of California and the UK are relying at least in part on regulation and legislation. As of January 1, 2020, only networked devices with an individual password will be allowed to be sold in the US state. Alternatively, the user must be forced to change his password when the system is put into operation.
The UK government has also declared war on standard passwords such as ‘123456’ or ‘password’ in an upcoming bill. The DIN SPEC 277072 specification also promises more security for IoT devices. Released by the German Institute for Standardisation in May 2019, it presents a minimum security standard for smart home devices.
These are positive steps. However, while these legislative initiatives for more security are undoubtedly moves in the right direction, they do not help the organisations that are experiencing daily DDoS attacks here and now. It’s also important to note that many billions of connected devices that are already deployed cannot be upgraded to make them more secure, because they lack the processing power – making them vulnerable to exploitation and takeover for as long as they remain connected.
Compromised IoT devices, then, are a significant and evolving security threat for today’s organisations to deal with. Companies which rely on 100% availability of their digital business processes and online service offerings cannot wait for government initiatives to take effect, or for manufacturers to make security upgrades to products that are already deployed.
They need to take action themselves and counter the threat by deploying defences that can keep pace with increasingly sophisticated, highly targeted mega-attacks from armies of compromised IoT devices.
With a solution that fends off high-volume attacks as well as resource-intensive attacks on protocol and application levels, organisations will be well placed to block the ever-growing threat from all the small things on the Internet.