The Internet of Things (IoT) is now a major force in the weaponization of DDoS. In 2016, IoT botnets have fueled a number of attacks, including the largest-ever DDoS attack, and that role will only grow in the coming years. The tools to carry out these attacks are freely available to the public, and the IoT is expected to be 20 billion devices strong by 2020, so expect more frequent and disruptive attacks from a wider range of bad actors from now on.
While every organization must now protect itself against the potential for this kind of DDoS attack, this isn’t the only IoT vulnerability to keep in mind. 2017 will bring new threats as the IoT expands, challenging organizations and consumers alike to maintain effective defenses. Here are three IoT threats likely to emerge in 2017 and what organizations can do to protect themselves.
IoT ransom attacks
From cars to medical devices, as more machines and sensors come online next year, hackers will have greater leverage with ransom attacks. Who wouldn’t pay up to regain access to their home thermostat, car, or the pacemaker that regulates their heartbeat?
And while IoT devices can be the targets of threats, they can also be the perpetrators. With publicly available hacking tools, DDoS ransom attacks can harness “thingbots” – massive systems of compromised devices. These things often share IP addresses and have unfamiliar operating systems, making them harder to identify.
While IoT ransom attacks are different than regular ransomware, the same rules apply: paying a ransom often leads to prolonged or repeated attacks. If you adopt a strong security posture and make your organization a more difficult target, you will have to worry less about these attacks in 2017.
IoT as the ultimate end point, remaining uncontrollable for years
2016 brought the opening shots in the long awaited IoT threat, from the largest-ever DDoS attack to a botnet of 25,000 video recorders and CCTV cameras sending 50,000 HTTP requests per second. These connected devices have unlocked the 1 Tbps DDoS era.
In 2017, IoT platforms will need security in mind from the ground up, not simply added as an afterthought, as has been common until now. Today, a simple use of telnet and a limited list of factory default usernames and passwords can harness botnets of incredible size. As the space accelerates toward billions of connected things in the next few years, those botnets will only continue to grow if devices aren’t secured.
The burden for this security falls on three groups: Manufacturers, network carriers, and enterprise customers. While manufacturers must produce resilient products with built-in security, carriers should be able to detect and manage traffic originating from those devices to protect potential victims. Enterprise customers need to be aware of the risks to their infrastructure and assets, and invest in IoT that’s secure and can resist the threats that will emerge over the next three to five years.
PDoS threats against physical appliances
Also known loosely as phlashing, permanent denial of service (PDoS) attacks will pick up next year, aiming to destroy the firmware on IoT devices and other hardware. One PDoS method adopts remote or physical administration on the management interfaces of the victim’s hardware. The attacker may exploit vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image. This bricks the device, rendering it unusable until it can be repaired or replaced.
The “things” of the IoT are particularly vulnerable to these attacks, as they’re often simple machines with little or no inherent security measures. You’ll need a clearer understanding of the different firmware versions, binaries, chip-level software, and technology in use in your environment to stay safe.
Securing the future of the IoT
The long-term success of the IoT will depend largely on whether secure platforms arise. In 2017 and beyond, the IoT will usher in new security measures, from device identification and automation to regulation and availability.
The long-tenured IP address, for example, is rapidly declining in security value as billions of non-traditional IT devices come online. Watch for device fingerprinting to grow more common as a way to identify a device based on multiple attributes instead of an IP address to create behavior and reputation profiles.
The need for automation was as dire in 2016 as it will be in 2017. As automated attacks increase, not even teams of security professionals can protect systems and devices under attack. Only by pitting bots against bots will organizations be able to defend themselves.
Regulation is needed in the IoT for safety, especially for employees at production facilities and industrial control concerns. The logistics, mass transit, electrical, and heating industries, all pursuing IoT technology, must be protected.
As organizations’ operations integrate and increasingly rely on the IoT, there will be more pressure on the network to maintain availability. Any downtime has financial and productivity consequences, but the far-reaching influence of the IoT will make it all the more critical.
As 2017 approaches, the IoT and connected devices are expected to grow exponentially. That in turn will draw new attention from hackers, and many IoT devices – and the organizations deploying them – aren’t ready. Only the organizations taking proactive, holistic steps to improve their security posture will see the true promise of the IoT without the disruptions and disasters of this next wave of attacks.