The Internet of Things (IoT) was thrust back into the public eye last week when two of the largest ever Distributed Denial of Service (DDoS) attacks were facilitated by a botnet of compromised smart devices.
The first victim was security researcher Brian Krebs, who was forced to take his security blog offline due to a significant two-week long DDoS attack. Having written an exposé on vDos, the Internet's most popular DDoS-for-Hire service, his site was subjected to an escalating attack which eventually peaked at a record 620 Gbps. This short-lived record was eclipsed just a few days later with an attack against web-hosting company OVH that topped the 1 Tbps (Terabits per second) barrier. Both of these attacks were conducted by an IoT botnet of compromised smart devices.
What is an IoT Botnet?
The IoT is a system of ‘smart’ internet-connected devices (i.e fridges, TVs, CCTV) that have the ability to transfer data over a network without requiring human interaction. A botnet is simply a network of compromised IoT devices controlled by a third party and used to spread malware or launch attacks. The number of IoT devices is growing at an incredible rate and, although conservative estimates suggest there are currently around 6.5 billion devices, this could rise to as many as 20 to 50 billion by 2020.
This particular botnet was assembled thanks to weak default usernames and passwords found in internet-connected cameras. The creator specifically designed it to scan the internet for poorly-secured devices and gain access to them via simple passwords like "admin" or "12345." The botnet tried a list of 68 combinations of usernames and passwords which enabled it to spread to 380,000 devices. Unless vendors can regress from using default passwords, or enforce password resets when users initially install a device, such botnets will remain a significant threat.
Why Should I Care if my Camera, Fridge or Light Bulb is in a Botnet?
Hackers are constantly seeking notoriety for conducting the biggest or most sophisticated hacks, and we expect to see further IoT botnet attacks in the future. In this case, the use of poor (or default) passwords left 380,000 devices vulnerable, but with the equipment owners not facing any liability or threat of prosecution as a result of their involvement in the botnet, why should you worry if your fridge or TV is part of the next one?
Notwithstanding the need to protect your data as it passes between devices, your equipment could suffer from performance issues or even enable hackers to compromise other appliances on your network. Promoting good cyber hygiene and a secure internet is in everyone’s interest and a simple password change could prevent your device becoming part of a damaging botnet. Whilst the disruption of OVH’s web-hosting services may not have affected you directly, how long will it be until the next IoT botnet disrupts access to your personal bank, your internet service provider or your local power distributor?