Not so long ago, a cybersecurity attack in the US and Europe spooked the world. A hostile attack called ‘Distributed Denial of Service’ (DDoS) took down Dyn (the DNS provider that supports Reddit, Spotify, SoundCloud and a plethora of other websites) paralyzing many organizations’ internet-facing servers by flooding them with artificial traffic that had been dramatically scaled up.
This attack served as a chilling demonstration of the vulnerabilities that comes with IoT. As the IoT revolution is taking over, hackers are turning to IoT devices to grow their botnet armies. Gartner estimates there will be 6.4 billion IoT devices connected to the internet in 2016 and that number is expected to reach an impressive 21 billion by just 2020. The sheer number of devices in existence makes fertile ground for malicious hackers.
In an era of growing botnets, zombies and security breaches, IoT systems, in particular, need to keep safety a top priority at all times.
A bot (short for robot), is a script or software application that performs tasks on command. Evil bots complete malicious tasks and install intrusive software including computer viruses, trojan horses, spyware, adware and other malevolent programs. This invasive software allows attackers to take remote control over any infected computer that’s connected to the internet. Known also as web robots, bots are usually part of a network of infected machines, known as a botnet. Botnets are often created from victim machines that stretch across the globe, unbeknownst to the owners and can be used to spread spam and perpetuate scams. The infected machines are also referred to as zombies.
But what makes IoT devices so vulnerable?
1) IoT devices are vulnerable to IoT viruses because most don’t have a UI (user interface). The very fact that IoT devices don’t have a UI means we don’t regularly interact with them and hence we do not get to know beforehand if they are being targeted by hackers or not.
2) IoT devices need stronger security protocols. Configuring an IoT device requires some sort of access to the network via a web interface or app using TCP/UDP sockets. The issue is that access methodology needs to be common across each device. So even if the device is protected with a password, it is the same default across all devices. Consumers are jaded from having to remember their regular passwords, from banking to online grocery shopping. Therefore, it’s easy to leave the password set to the default, meaning that simple brute force for well-known default passwords gives an attacker easy access
3) By design, IoT devices have limited computational capabilities and no concept of firewalls or diagnostic tools.
4) One key mistake manufacturers are making is they’re pushing their devices to connect directly to the internet over Wi-Fi. The right thing to do would be to use a simpler protocol like ZigBee within the premise and then have an aggregated feed through a secure gateway.
How can Organizations defend against DDoS attacks and IoT botnets?
Dealing with the rising threat of IoT botnets is not only important but also doable. Simply bear in mind some best practices:
– If you’re connecting a device to the internet, protect it with a strong, unique password
– Invest in a good Firewall
– Monitor devices, servers, networks and traffic and protect them throughout
– Keep an eye on the complete chain of communication happening across the devices
– Secure connectivity across the network and devices infrastructure
Other security aspects
• Each device should identify itself and prove that it can securely communicate itself with other devices in the system. User genuineness procedure should also be implemented.
• Confidentiality is also paramount. All data should be encrypted – those residing in physical networks, virtualized environments, the cloud, or moving data.
• All data needs to be protected against unauthorized modification and from malicious codes. Data integrity should be ensured
• Digitally signed documents and transactions using hardware security device can provide strong non-repudiation for the date and origin of the transaction.
The best approach would be to mitigate botnet attacks at the very source by ensuring secure product design and secure gateways which protect all on premise devices. It is also important to include applications that are not remotely upgradeable and those which only function in response to specific permissions. It is also advisable to secure IoT devices by abstaining from allowing over the air updates for such devices. Such connectivity protocols often make it easier for attack vectors to intrude. Keeping devices and network protected at every level is the key.
Pankaj Chawla is the Co-Founder and CTO, 75F based out of Bangalore. Pankaj Chawla worked for over 15 years in the Electronic Design Automation (EDA) industry working on multiple new products for Cadence Design Systems, before the proverbial entrepreneurial bug bit him.