Solution Providers: Friday's DDoS Attack Shows The "Terrifying" Danger Of Unsecured IoT Devices
Solution providers are saying that Friday's distributed denial of service [DDoS] attack – which was launched through IoT devices and blocked an array of websites - deepens the industry's concerns over the security risk of the Internet of Things.
"CyberSecurity in the IoT world has far too long been an afterthought, and especially in the consumer market where understanding of risks and requirements is less stringent than the enterprise space," said Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions. "As cool as many of the smart home devices are, many of them still do not provide the ability to password-protect access to them, leaving many open to compromise."
The denial of service attack was launched Friday through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites.
[Related Video: Are IoT Security Concerns Unfounded?]
The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data.
Throughout Friday, Dyn experienced two waves of attacks, and a third wave was attempted that the company successfully mitigated without customer impact. Dyn's chief strategy officer, Kyle York, said in a blog post that the attacks came from devices infected by the Mirai botnet – a malware that was revealed earlier in the month and spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet," he said.
Many consumer IoT device manufacturers do not invest enough in security, or view it as an afterthought, said Grosfield, making it "terrifyingly" easy for hackers to compromise the devices.
"TVs, DVRs, home security systems and cameras, smart thermostats, lighting systems, door-locks and even smart garage door openers, all connected to the Internet and to the homeowner’s WiFi network, present an attack surface that makes it terrifyingly easy for hackers to use in these types of attacks," he said.
On Monday, manufacturer Hangzhou Xiongmai announced that it will recall the web cameras that use its circuit board and other components – which were one of the many devices used in the attack.
Chris Compton, founder of Smart Home HQ, a Newport, Ky.-based service provider specializing in home automation, said that IoT security is at the top of mind for many customers – and partners play an important role in ensuring a program is in place to properly secure devices.
"Everyone's freaking out about security. For many devices, like webcams, passwords can be easily unlocked, and with home automation and the Internet of Things, devices can also be unlocked remotely," he said. "My view on [IoT] security is that you need a partner who is knowledgeable about it, and need a program in place to deal with it."
Grosfield said that IoT security issues will continue on a "growing scale" unless manufacturers address security related shortcomings with their offerings.
"Strong password protection, and mandatory encryption, must be considered table-stakes for players in the IoT and connected device world, or they are creating a problem that will be very challenging to address as this rapidly growing market expands," he said.