The threat landscape has been transformed by the emergence of IoT botnets. In turn this has, in part at least, facilitated DDoS attacks that originate from botnets, allowing criminals to execute assaults with precision and control, and sent in different ways which are often virtually impossible to trace back to the original attacker. The largest DDoS attacks are also growing exponentially in size, as attackers take advantage of the breadth of connected devices incorporated in our Internet of Things.
Sheer number of devices a major concern
One of the major contributors behind the rise of IoT-related attacks, is the massive number of these typically poorly-secured, Internet-connected, devices currently in use worldwide. One of the key catalysts was the original Mirai botnet, that harnessed millions of vulnerable IoT devices by using telnet to find those still using their factory default username and password pairs to launch attacks. We are now seeing derivatives of Mirai that use increasingly sophisticated exploits, such as finding vulnerabilities in the software that runs on devices, in a similar way that hackers have been compromising Windows and Android devices.
The sheer scale and variety of devices offers a significant return for cyber criminals, as they only need to find a way to compromise one device model and can then replicate the attack to compromise hundreds of thousands more devices. There is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our Internet of Things. And, by using amplification techniques with these devices, which includes vast numbers of home-routers, baby video monitors and security surveillance cameras, the largest DDoS attacks are set to become even more colossal in scale.
Password hygiene is a must
As devices become increasingly secure by design, we’re still witnessing mass production and release of devices with the same default passwords which are easy targets for cyber attackers. The challenge is that, technically, it is more complex for manufacturers to produce devices with unique credentials, versus just relying on users to change them at the point of use. However, in reality, very few consumers will do this – assuming they even knew how, allowing hackers to take full advantage of the situation. Default passwords are pretty simple to discover and, in fact, some can be found from a simple Google search. So, changing these ‘masterkeys’ should be of paramount importance to both end users and organisations alike.
In addition, when a network router’s administrative interface is accessible from the Internet, then hackers can often gain access via a brute-force attack. Routers continue to be an attractive target as they act as a gateway to the entire network, giving cybercriminals the potential to access additional devices and recruit them into a botnet army. Users can, typically, disable external access by choosing local administration only, ensuring all their passwords, including default ones, cannot be used from the Internet.
Fortunately, some of the security flaws are already being identified and fixed, with consumers increasingly aware of the security risks posed by IoT devices. Device manufacturers have also started implementing security updates automatically to reduces the chances of those connected devices being hacked or taken over.
Attackers understand that manufacturers and home users are starting to wake up to the problem of default passwords on IoT devices, and are seeking alternative, more complex ways to access them. As this trend continues, hackers become increasingly inventive when searching for accessible devices and ways to gain entry to them.
There isn’t one solution for connected-device protection – there’s probably a dozen different things that people need to do, to help address this challenge, all the way from homeowners being more responsible and changing default details, to manufacturers implementing secure update practices. What is a given is this problem is not going to be solved overnight.
With the growing number of connected devices around the globe, it is important that manufacturers, service providers and retailers work together to raise IoT security awareness and encourage organisations to educate end-users on the part they need to play with good password hygiene, that ultimately will benefit all of us.
In the meantime, for organisations who cannot afford negative service impact from a rogue Botnet powered DDoS attack, real-time protection is a necessity.
For more information, contact us.