Trick or threat? How zombie IoT devices surprised the internet
“Trick or treeeat!” Hearing kids yell that at your front door means one thing: if you don't give them candy, you can count on being the target of some rather mean jokes.
Compared to that, millions of routers, security cameras and other IoT (Internet of Things) devices that knocked on the door of Dyn DNS a week before Halloween didn't offer any such option. Instead, they formed one giant zombie army with a single malicious aim – to take down the internet and some of its most popular services.
ESET, as well as many other security vendors, have accurately predicted that IoT security would become an important topic this year. However, the most frequently voiced concerns were that these devices might become a large source of leaked owner data, or might be targeted as a weak security link in home networks. But things don't always turn out the way you expect, right?
Last week's massive DDoS attacks, as well as hits on Brian Krebs' website, have shown that private information wasn't the main focus of cybercriminals - at least not for now. Their aim has been to gain control over millions of IoT devices and direct their power towards any target they choose.
What these attacks prove is that there are tens of millions of devices that can be exploited due to poor security practices such as employing default usernames or passwords or running vulnerable and out-of-date firmware.
And even though Dyn was able to mitigate the attacks in a matter of hours, this may only be the beginning of a “DDoS war” in the coming months.
To understand the possible scale, let's look at the numbers. According to Gartner, there were close to five billion IoT devices on the market (including the automotive industry) by the end of 2015. If the same estimates are correct, in 2020 this figure will grow to over 25 billion.
Without a shift towards more security in the IoT field at all levels – ranging from producers, who need to build their software and hardware with security in mind, all the way to regulators, who have to put proper constraints in place to enforce higher standards – this problem could get much worse.
And let's not forget about end users. Even you as a home user can contribute to the solution, in multiple ways:
- The first step would be to buy quality IoT devices that are up to current security standards, and to avoid cheap substitutes that are being built without a focus on this aspect.
- You can also run tests to find vulnerabilities in your hardware – such as default factory passwords or out-of-date software (firmware) – and change or patch them.
- Carefully set up IoT devices that you already have back home, such as your router.