Story image

Trick or threat? How zombie IoT devices surprised the internet

01 Nov 16

“Trick or treeeat!” Hearing kids yell that at your front door means one thing: if you don’t give them candy, you can count on being the target of some rather mean jokes.

Compared to that, millions of routers, security cameras and other IoT (Internet of Things) devices that knocked on the door of Dyn DNS a week before Halloween didn’t offer any such option. Instead, they formed one giant zombie army with a single malicious aim – to take down the internet and some of its most popular services.

ESET, as well as many other security vendors, have accurately predicted that IoT security would become an important topic this year. However, the most frequently voiced concerns were that these devices might become a large source of leaked owner data, or might be targeted as a weak security link in home networks. But things don’t always turn out the way you expect, right?

Last week’s massive DDoS attacks, as well as hits on Brian Krebs’ website, have shown that private information wasn’t the main focus of cybercriminals - at least not for now. Their aim has been to gain control over millions of IoT devices and direct their power towards any target they choose.

What these attacks prove is that there are tens of millions of devices that can be exploited due to poor security practices such as employing default usernames or passwords or running vulnerable and out-of-date firmware.

And even though Dyn was able to mitigate the attacks in a matter of hours, this may only be the beginning of a “DDoS war” in the coming months.

To understand the possible scale, let’s look at the numbers. According to Gartner, there were close to five billion IoT devices on the market (including the automotive industry) by the end of 2015. If the same estimates are correct, in 2020 this figure will grow to over 25 billion.

Without a shift towards more security in the IoT field at all levels – ranging from producers, who need to build their software and hardware with security in mind, all the way to regulators, who have to put proper constraints in place to enforce higher standards – this problem could get much worse.

And let’s not forget about end users. Even you as a home user can contribute to the solution, in multiple ways:

  1. The first step would be to buy quality IoT devices that are up to current security standards, and to avoid cheap substitutes that are being built without a focus on this aspect.
  2. You can also run tests to find vulnerabilities in your hardware – such as default factory passwords or out-of-date software (firmware) – and change or patch them.
  3. Carefully set up IoT devices that you already have back home, such as your router.

Article by Ondrej Kubovic, We Live Security

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.