DDoS attacks that force websites to go offline and cripple servers are nothing new, but many of the massive DDoS attacks last year, which also happened to be the biggest in history, had a common characteristic we’ve never seen before. They all originated from hordes of zombified IoT devices, also known as IoT botnets.

Because IoT devices are here to stay, this threat won’t be going away anytime soon. If your network includes websites and other Internet-facing applications, you need to understand what these threats are, how it can impact your business, and what we in the business community can do to protect our IT infrastructures from these types of attacks.

What IoT Botnets are and why cyber crooks are targeting them

As its name implies, an IoT botnet is a botnet consisting of IoT (Internet of Things) devices. So, it can be made up of CCTV cameras, DVRs, home routers, modems, baby monitors, and a host of other seemingly harmless IoT devices.

There are a couple of reasons why cybercriminals have now started rounding up IoT devices into botnets. First, they’re easy to hack into (we’ll elaborate on this shortly).

Second, they’re connected to the Internet. That means, they can be accessed (and compromised) from the Internet and they can be used to attack other machines on the Internet.

Third, the resource and computing constraints of these devices make most of them incapable of running security agents like antivirus software or firewalls.

And fourth, there are already millions of these devices out there and billions coming in the near future. If Gartner’s predictions came true, there should have been about 6.4 billion IoT devices last year. In addition, according to Morgan Stanley, there should be around 50 billion of these devices by 2020. Unless something can be done to secure them, a ton of connected devices are and will be ripe for the picking.

Biggest DDoS attacks in history

DDoS or Distributed Denial of Service attacks are attacks launched from a multitude of zombified machines, collectively known as botnets. These are machines that have been compromised and placed under the control of a remote C&C (command-and-control) server.

Traditionally, botnets consist of servers and desktops. But lately, there are botnets made up of IoT devices. The sheer number of these devices has resulted in the largest DDoS attacks ever recorded. Some of the most publicised IoT botnet DDoS attacks are:

1. The attack on the Krebs on Security site. This attack reached 650 Gbps.
2. The attack on French web host OVH (1 Tbps)
3. The attack on DNS provider Dyn (1.2 Tbps)

That 1.2 Tbps attack managed to cripple high-traffic sites like Twitter, Amazon, CNN, and Reddit. For comparison, the largest non-IoT botnet DDoS attacks only topped 500 Gbps.

Impact to business

Any type of DDoS attack that manages to cripple a website or server can have a huge impact on your business. It can cause:

Revenue and opportunity loss - This is particularly true for e-commerce websites or sites that are part of a supply chain. While these sites are down, the businesses behind them will stop earning or gaining new customers.

Productivity loss - If the server or website is used by employees, the resulting downtime will prevent them from fulfilling their duties. In addition, if the server is crucial to business workflow, other business operations down the line will likewise be impacted.

Damage to reputation - Web-facing sites that go offline (regardless of whether due to a DDoS or not) don’t paint a pretty picture and can leave the impression that the company is vulnerable to cyber attacks. This will turn off customers who are wary of data breaches.

Vulnerabilities in IoT Devices

As mentioned earlier, IoT devices are relatively easy to hack into. The main reason is that most of them use factory default or hard-coded credentials (this usually means usernames and passwords). Factory default passwords are often shared in hacking forums and hence are easily accessible to attackers. Those that aren’t known are nevertheless easy to guess (e.g. username=admin, password=admin) and hence are vulnerable to brute-force attacks.

Many of these devices are accessible through the Internet, so attackers don’t have to be physically present in order to break into them.

Some of these devices transmit data over the Internet in plaintext. That makes them vulnerable to what is known as man-in-the-middle attacks. These attacks allow cybercriminals to eavesdrop on an IoT connection and acquire data from the transmission, including usernames and passwords.

IoT devices actually have a much larger attack surface than most people think. They usually operate alongside a mobile app and a cloud-based server. If the mobile or cloud interfaces also have vulnerabilities, criminals can also attack the infrastructure through those points.

What we can do to fight IoT botnets

Although IoT botnets are a new threat, the vulnerabilities they tend to exploit are already known. Thus, manufacturers, businesses and consumers can work together to mitigate the threat.

One thing that can be done is to replace the administrative passwords of these devices to stronger ones. Of course, the device manufacturers must make it possible for the passwords to be changed.

Secondly, if it’s possible to disable remote administration on these devices and just enable local administration, then that would prevent attackers from hacking into the devices through the Internet.

Third, if manufacturers can replace or augment password-based authentication with PKI (public key infrastructure), then that can strengthen the authentication and data exchange process. Digital signatures can be used to verify the authenticity of each data exchange between the devices and their corresponding servers and mobile apps.

Fourth, manufacturers should make sure that the transmissions between the devices and their cloud-based servers, or even their corresponding mobile apps, are encrypted with secure protocols like SSL/TLS to prevent man-in-the-middle attacks.

If we are able to secure the IoT environment, we can substantially mitigate the risk of the devices getting ensnared into a botnet and in turn reduce the risks of IoT-based DDoS attacks.