Author: Clayton Locke
Unprecedented DDoS attacks in September and October 2016 showed that the insecurity of the Internet of Things should be a serious concern for organisations ofering digital financial solutions.
September saw the record for the largest ever DDoS (Distributed Denial of Service) attack broken and then shattered as unknown assailants attacked security journalist Brian Krebs and French hosting company OVH using an army of poorly secured IoT devices.
The DDoS record broken
The mid-September attack against Brian Krebs’ website raised the bar on the biggest DDoS attack ever seen to 620 Gbps, a substantial increase on the 500 Gbps that hit pro-democracy websites in Hong Kong in 2014.
The attack was so large that cloud hosting giant Akamai felt unable to continue offering the pro bono DDoS protection it was providing. Faced with an attack that was almost double the size of the next largest attack their network had encountered they abruptly withdrew their support with just two hours’ notice.
Krebs reports that he was then approached by other security firms offering to step in and offer equivalent protection provided he could find the $200,000 a year to pay for it.
That figure may have been a low ball – in an interview with The Boston Globe, Akamai’s VP of web security, Josh Shaul, offered a stark assessment of the costs involved in fending off “the worst denial-of-service attack we’ve ever seen” suggesting that “If this kind of thing is sustained, we’re definitely talking millions [of dollars]”.
Kreb’s site was finally restored by Google, who put krebsonsecurity.com under the wing of its DDoS protection for journalists, Project Shield.
The attack was noteworthy for its size but also for the fact that it didn’t rely on the kind of leveraging techniques commonly used to achieve really big DDoS attacks, something that led Akamai’s Martin McKeay to tell Krebs “Someone has a botnet with capabilities we haven’t seen before”.
The record doubled
Within just a few days it became clear just what those capabilities might be when French hosting company OVH was subjected to the first 1 Tbps attack.
Less than a month later a “highly distributed attack involving 10s of millions of IP addresses” blasted DNS infrastructure provider Dyn with a 1.2 Tbps DDoS that made household names like Twitter, AirBnB, Reddit, Spotify, Amazon and Netflix unreachable.
After restoring service and analysing the attack Dyn confirmed that the primary source of the remarkable “capabilities we haven’t seen before” was the same as it had been for Krebs and OVH; the traffic was coming from the Internet of Things.
The internet of bots
The tens of thousands of computers that were compromised and harnessed into a botnet to attack Krebs, OVH and Dyn weren’t computers in the traditional sense at all, they were internet-connected CCTV cameras and DVRs (Digital Video Recorders).
Security professionals have been warning about insecure IoT devices for years and the emergence of the Internet of Things has been accompanied by a torrent of stories about hackable cars, thermostats, door bells, fridges, kettles, cameras, TVs and baby monitors.
A 2014 study by HP found that seven out of the ten internet-enabled devices they tested were vulnerable to some form of attack and that each gadget averaged no less than 25 vulnerabilities each.
And the vulnerabilities aren’t new for the most part; they’re well understood problems that we should have put to bed long ago, like default passwords, clear text protocols and SQL injection vulnerabilities. It’s as if the rush to connect consumer devices to the internet has made us forget the last 20 years of security best practice.
The cost of that collective amnesia and the true threat it poses was finally made manifest in September and October thanks to malware known as Mirai, which harvests insecure IoT devices and then presses them into service as part of a botnet capable of delivering terabit-scale attacks.
Gartner estimates that there are about 6 billion devices connected to the Internet of Things today and expects that number to hit 20 billion by 2020.
They won’t all be insecure but given the IoT’s rate of growth, its poor security so far and the difficulty of updating many of the devices connected to it, it’s fair to say that the number of vulnerable computers open to abuse by hackers is likely to increase significantly in just a few years.
That could lead to significant increases in the maximum capabilities available to adversaries looking to harm or extort financial services companies (and a corresponding hike in the cost of DDoS protection).
It could also lead to a significant ‘trickle down’ effect that puts increasingly more powerful and sophisticated malware into the hands of individuals. At the end of September source code for Mirai was published online, a move described by Krebs as “virtually guaranteeing that the Internet will soon be flooded with attacks from many new [IoT] botnets”.
DDoS attacks are the original ransomware and have long been used by criminals who attack companies and then extort money in return for calling off their attacks.
The emergence of tools like Mirai shows that the effects of insecurity in the IoT aren’t limited to individual devices and their users – it is a systemic problem for all of us.