A worry for both companies and users is that there are few measures put in place by device makers to mitigate the threat or provide protection against an attack.
Many device manufacturers design IoT products as “set-and-forget” where security is an afterthought. This is especially worrisome considering the long lifespan of many white goods and other household smart devices that do not receive the same regular operating updates as smartphones, leading to a greater risk of a breach.
iTWire spoke to Robin Schmitt, general manager Australia at Neustar, for his take on the issues. Neustar provides real-time information and analytics for the Internet, telecommunications, entertainment, and marketing industries, and is a provider of clearinghouse and directory services to the global communications and Internet industries.
“It almost goes without saying that as the rate of IoT devices in the mass market increases exponentially, the risk of security breaches also rises. A recent Neustar report into DDoS attacks found that 61% of organisations are already using IoT devices,” Schmitt said.
Of those companies adopting IoT, 82% have been attacked in the past year versus just over half of companies not using IoT devices. Research firm Ovum says there are at least 500,000 vulnerable devices already in the market. Ironically, Forrester Research predicts that more than 500,000 IoT devices will suffer a compromise this year.
Q. Why are connected devices so vulnerable to DDoS attacks?
A worry for both companies and users is that there are currently few measures put in place by device makers to mitigate the threat or provide protections in the event of an attack.
For example, many devices share a common flaw in that they are configured and shipped with the same well-known and weak user IDs and passwords common to all devices of each model. In addition, some devices are built using a third-party component where the default user ID and password are hardcoded and cannot be updated or changed by the user.
Once vulnerable devices are found and the security deficiency exploited, it becomes near impossible to prevent infection without issuing a security update or recalling the affected devices, incurring significant costs to the manufacturer. Also, rolling out firmware updates can be difficult as many devices are not designed to be easily updateable.
Q. Who is most at risk of an IoT botnet attack?
Generally, those industries with the least investment in DDoS detection or mitigation are the most vulnerable to threats. E-commerce platforms are under particular threat, as revenue is directly and significantly impacted by DDoS attacks.
Companies of all sizes can fall prey to a DDoS attack. However technology companies, retail and financial services are particularly vulnerable to due to the substantial financial gains to be made for the attackers.
Q. Will the number and volume of IoT botnet attacks continue to increase this year?
IoT ecosystems need gateways to communicate between devices and each additional gateway is another attack surface for potential security hacks. As the number of IoT devices in use rises dramatically over the next decade, this offers a lucrative means for botnet herders to seize more and more vulnerable devices to hit organisations with higher volume DDoS attacks.
According to a recent Neustar report into cyber security trends, organisations globally experienced peak multi-vector attack sizes much greater last year than in 2015. In fact, the average size of maximum monthly peak sizes was more than double the largest monthly attack averages in 2015. This reflects, in part, a higher potency of attack strength mustered by powerful vector combinations and new attack methods involving IoT botnets.
Q. Is government intervention necessary?
Europe is at the forefront of global IoT regulation, with moves already in progress to provide a framework for better regulation of connected devices. Last October, the European Commission reported it was drafting new security legislation for IoT devices, which would include a certification system notifying consumers of the level of security of their device. The certification would be comparable to Europe’s current energy efficiency rating system for whitegoods and electronics.
The aim of the proposed regulation is to mitigate cyber security risks and ensure consumer confidence in IoT devices, particularly considering Europe’s plans to boost Internet speeds over the next decade.
In the wake of the recent high-profile, high-volume DDoS botnet attacks, such as the global attack on Dyn and the attack on security writer Brian Krebs’ website, this is a step in the right direction.
Time will tell if Australian lawmakers decide to follow in the footsteps of Europe in developing a set of standards to combat the increasing threat of botnets. Certainly, there is a need for it given the spread of attacks globally, including in Australia.
IoT needs standards and certifications, to help propagate best practice, improve quality and implement security controls. As the IoT industry continues to evolve, collaborating openly and adopting standards and introducing certifications will strengthen the industry.
Q. At the enterprise level, how can organisations ensure better security?
Worryingly, Australia and the rest of APAC fall behind global counterparts in relation to DDoS protection, with almost half of all APAC organisations taking on average over three hours to detect a DDoS attack and an extra three hours to respond.
This is alarmingly higher than global averages. Understanding the changing risk profile is key, particularly when faced with the knowledge that network outages during peak times can cost almost half of all organisations $100k or more. Organisations should review the risk imposed and consider varying their defences in line with increased risk exposure. Right-sizing the investment is vital.