The Internet of Attacks: Disturbing Online IoT Trends

Disturbing Online IoT Trends

If you thought the worst thing to come out of the Internet of Things (IoT) trend for internet-connected devices was your mother in law’s daily reports on her smart refrigerator telling her she’s out of prune juice, then it’s time to think again.

People are understandably going wild for IoT devices. The technology is intriguing, many of the applications are becoming essential, and in a great deal of cases what these devices can do is just plain fun. The problem is that online attackers are just as fond of these devices, and they’re not using them to monitor their front doors or turn on the coffee maker while they’re still in bed. Instead, they’re using them for distributed denial of service (DDoS) attacks and data breaches.

DDoS dangers

When it comes to IoT devices, DDoS attacks and data breaches are two separate issues that stem from the same problem: lax security. In their rush to market, manufacturers largely have yet to prioritize security in their IoT devices, and while end users would be quick to secure an internet-connected device like a laptop, it just doesn’t seem to be thought of when it comes to smart devices like thermostats or baby monitors. As a result, the Internet of Things is populated by millions of devices using default usernames and passwords.

This is a problem because with a bit of Malware and expertise, an attacker can hijack an internet-connected device and control it remotely. This is how botnets are assembled. In essence, a botnet is a network of hijacked devices that are used to aim immense amounts of malicious traffic at websites, servers or other online services in what are called DDoS attacks. An unmitigated attack will push the website or service offline altogether, or slow it down to the point that it can’t be used.

Botnets have been a DDoS-causing problem for over 15 years, but with the security problems plaguing the IoT, the size of botnets as well as their resultant attacks are reaching never before seen proportions. It was an IoT botnet by the name of Mirai that was behind the record-smashing distributed denial of service attacks on French hosting provider OVH, online security blogger Brian Krebs and DNS provider Dyn at the end of 2016, and it will surely be IoT botnets behind the next record breakers, which could come at any time.

Vulnerable data

If an attacker can compromise a device in order to enlist it in a botnet, then an attacker can also compromise a device for its data. Financial information, health information and other sensitive and highly sellable data is ripe for the picking behind default user names and passwords in the IoT. This would be bad enough for individual users, but there is an untold number of smart devices in use by major organizations that are providing potential access to huge databases.

Forrester Research estimates that a whopping 500,000 IoT devices will be compromised in 2017, while other experts are predicting that the first big security breach that can be traced back to an IoT device will happen within the next two years, to say nothing of the smaller scale data breaches that could be occurring at this very moment.

A collaborative solution

A true solution to these IoT problems is frustratingly out of reach since it requires the cooperation of so many organizations and people, including a large number of manufacturers that need to incorporate better security in the firmware to cut down on Vulnerabilities. As a result, end users and website owners are left to secure their own devices and sites.

To begin securing your devices, change the default user names and passwords on them, no matter how ridiculous it may seem to set a password for, say, a thermostat. It’s also a good idea to disable WAN or remote access to your devices. You can use this open port finder to check for remote access on Telnet (23), SSH (22) and HTTP/HTTPS (80/443) ports.

To protect a website against the major threat posed by DDoS attacks, website owners need to invest in professional distributed denial of service mitigation. Scalable, cloud-based protection with a truly robust backbone will be able to handle attack attempts from botnets of all sizes, even IoT-powered botnets.

With a few simple steps and high-quality DDoS protection, your biggest IoT worry can once again be related to your mother in law and the world’s most boring use of smart devices. What a world.

Sponsored by Incapsula

By Gary Hanley

Jim Fagan
Subsea Connectivity Digital transformation and the migration of data and applications to the cloud is a global phenomenon. While we may like to think that the cloud knows no borders, the reality is that geopolitics ...
Drew Firment
Here’s How to Make Sure Your Skills are Cloud Ready This year will be a period of meteoric growth for the cloud industry. Research from Gartner suggests that global spending on public cloud services in ...
Adam Cole
Mitigating Regulatory Risk Some of the great business opportunities for Unified Communications as a Service (UCaaS) integrators and Value-Added Resellers (VARs) have been the emergence of cloud, telephony and Unified Communications (UC) technologies such as ...
Threat Security
Azure Red Hat OpenShift: What You Should Know What Is Azure Red Hat OpenShift? Red Hat OpenShift provides a Kubernetes platform for enterprises. Azure Red Hat OpenShift permits you to deploy fully-managed OpenShift clusters in ...
Jonathan Custance
IoT and cloud computing are on the increase High-profile cybersecurity breaches are increasingly in the news, a prime example being the NHS incident of May 2017 when services were brought to a standstill for several ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.