Apocalypse now: The IoT DDoS threat

One of the things you learn about humanity, if you’re paying attention, is that “gold rushes” bring out the worse in us. When there are no constraints and there is a greed motivator, people will literally trample anyone or anything to get to the goods.

Over the ages, literal and financial empires have been forged on this principle, and no matter when or for what particular gain, there has always been serious collateral damage. Despite the newfangled and unfamiliar techno terms, IoT and the emerging botcalypse are just another sordid example of this truism.

The Internet of Things (IoT) was coined as a term to capture the explosion of connected devices that would serve us in myriad ways. Whether our DVR, key fob, car, front door lock, lightbulb, security or nanny cam, the idea is that the Internet will give us ubiquitous connectivity from the normal “things” of life to a cloud-delivered galaxy of software goodness that would track, monitor, visualize, enable, and finally actualize the promise of the Internet to the “real world.”

Little did anyone suspect that we were signing up to be roadkill of the latest gold rush. In the spirit of “fool us a thousand times”, shame on us.

IoT is a gold rush for multiple reasons. First, because of the rich vein of consumers who are ready to be sold connected devices. Individuals and businesses have come to believe in the utility and reliability of the Internet, the trustworthiness of software as a service, the safeguarding of their credit card accounts, and the productivity boost they’ll receive by always being connected to everything, all of the time. Second, because of the lack of constraints. Other than basic electrical safety standards, there are barely any regulations on Internet devices, since regulatory action runs far behind the state of technology. As a result, IoT manufacturers have a lot of freedom, particularly in their software design.

In these fertile conditions, manufacturers have rushed in to offer a cornucopia of connected devices that fulfill all sorts of wishes. With information collected from automotive systems like OnStar and SYNC, insurance companies can get better insight into driver habits for underwriting purposes, while drivers can get cheaper insurance rates. Security and nanny cams with connected DVRs offer assurance and comfort through remote visibility. Lights, power, refrigerated food and other mundane aspects of running homes and small businesses can be monitored and managed via apps. Analyst firms predict that connected devices will number in the many billions soon, and we can be assured that many tens to hundreds of billions of dollars of business ride on this diaspora.

In their rush to the gold, IoT manufacturers have conveniently ignored the most basic security measures and shipped devices that are practically tailor-made for being colonized into botnets. Most IoT devices come with one of a handful of common default passwords, which most consumers and small businesses never update. Some IoT vendors have even hard-coded those credentials so they can’t be changed.

Mirai, bashlight and other malware utilize dictionaries of those commonly shipped default username and password combos like “admin, admin”, “admin, password” and “admin,12345” to compromise hundreds of thousands to millions of devices. Cue the botcalypse.

IoT-powered botnets are behind some of the largest DDoS attacks ever recorded–from 500Gbps to over 1Tbps in size. The most newsworthy of these recent attacks brought down the DNS services provided by Dyn. DNS maps between human readable web names like “amazon.com” and machine-readable numerical Internet addresses. The disruption of DNS resolution services used by Amazon, Twitter, Netflix and others disrupted widely known web services to millions and cost hundreds of millions of dollars in lost payment processing and e-commerce.

The size of these attacks has exposed a number of vulnerabilities in how the Internet works. For example, it is difficult for even the largest web companies to have more than one provider of critical Internet services like DNS. Other critical services like payment processing, are also vulnerable. Outside of the web, many other systems supporting industries like transportation and agriculture are still unhardened for dealing with large, volumetric attacks.

Sadly, I think we’re going to be seeing many more large attacks going forward. The genie is out of the bottle. There will probably be plenty of DDoS headlines in 2017.

What can be done? The key is for the industry to take charge of its destiny. I’ve been suggesting that a highly visible mark of cybersecurity assurance for IoT and other Internet devices, like those from Underwriters Laboratory and Consumer Reports, could be helpful.

In addition, the Internet infrastructure industry needs to be held to a higher standard for ensuring that faked IP addresses aren’t allowed to send traffic, thereby robbing attackers of the anonymity that serves them so well. If we don’t want to let the IoT botcalypse proceed unabated, and if we don’t want possibly ham-fisted regulation as the answer, it’s time for the Internet and IoT industry to take ownership of the problem, before the digital economy gets owned.